Loading...
Loading...
Found 92 Skills
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Comprehensive API security testing skill for REST, GraphQL, gRPC, and WebSocket APIs. This skill should be used when performing API penetration testing, testing for OWASP API Top 10 vulnerabilities, fuzzing API endpoints, testing authentication/authorization, and analyzing API specifications. Triggers on requests to test API security, pentest REST APIs, test GraphQL endpoints, analyze OpenAPI/Swagger specs, or find API vulnerabilities.
Security Benchmark Runner - Auto-activating skill for Security Advanced. Triggers on: security benchmark runner, security benchmark runner Part of the Security Advanced skill category.
Prototype pollution testing for JavaScript stacks. Use when user input is merged into objects (query parsers, JSON bodies, deep assign), when configuring libraries via untrusted keys, or when hunting RCE gadgets via polluted Object.prototype in Node or the browser.
XSLT injection testing: processor fingerprinting, XXE and document() SSRF, EXSLT write primitives, PHP/Java/.NET extension RCE surfaces. Use when user-controlled XSLT/stylesheet input or transform endpoints are in scope.
Reconnaissance and methodology playbook. Use when mapping assets, discovering endpoints, fingerprinting technology, and building a structured testing plan for a new target.
Business logic vulnerability playbook. Use when reasoning about workflows, race conditions, price manipulation, coupon abuse, state machines, and multi-step authorization gaps.
Windows lateral movement playbook. Use when pivoting between Windows hosts via PsExec, WMI, WinRM, DCOM, RDP, pass-the-hash, overpass-the-hash, or pass-the-ticket techniques.
Windows local privilege escalation playbook. Use when you have low-privilege shell access on Windows and need to escalate via token abuse, Potato exploits, service misconfigurations, DLL hijacking, UAC bypass, or registry autoruns.
Linux privilege escalation playbook. Use when you have low-privilege shell access and need to escalate to root via SUID/SGID binaries, capabilities, cron abuse, kernel exploits, misconfigurations, or credential harvesting on Linux systems.
Professional Skills and Methodologies for Command Injection Vulnerability Testing
Role of Web Security Testing and Penetration Engineer, focusing on JavaScript reverse engineering and browser security research. Trigger scenarios: (1) JS reverse analysis: identification of encryption algorithms (SM2/SM3/SM4/AES/RSA), obfuscated code restoration, Cookie anti-crawling bypass, WASM reverse engineering (2) Browser debugging: XHR breakpoints, event listening, infinite debugger bypass, Source Map restoration (3) Hook technology: writing XHR/Header/Cookie/JSON/WebSocket/Canvas Hooks (4) Security product analysis: Offensive and defensive analysis of JS security products such as Ruishu, Jiasule, Chuangyudun, etc. (5) Legal scenarios such as CTF competitions, authorized penetration testing, security research, etc.