Search Results: waf-bypass

Found 5 Skills

Security & Complianceyaklang/hack-skills

cmdi-command-injection

Command injection playbook. Use when user input may reach shell commands, process execution, converters, import pipelines, or blind out-of-band command sinks.

🇺🇸|EnglishTranslated

Security & Complianceyaklang/hack-skills

http-parameter-pollution

HTTP Parameter Pollution (HPP): duplicate query/body keys parsed differently by servers, proxies, WAFs, and app frameworks. Use when filters and application layers disagree on which value wins, enabling bypass, SSRF second URL, logic abuse, or CSRF token confusion.

🇺🇸|EnglishTranslated

Security & Complianceyaklang/hack-skills

sqli-sql-injection

SQL injection playbook. Use when input reaches SQL queries, authentication logic, sorting, filtering, reporting, or DB-specific blind and out-of-band execution paths.

🇺🇸|EnglishTranslated

Security & Complianceyaklang/hack-skills

ghost-bits-cast-attack

Java "Ghost Bits" / Cast Attack playbook (Black Hat Asia 2026). Use when attacking Java services where 16-bit char is silently narrowed to 8-bit byte to bypass WAF/IDS for SQL injection, deserialization RCE, file upload (Webshell), path traversal, CRLF injection, request smuggling, and SMTP injection. Affects Tomcat, Spring, Jetty, Undertow, Vert.x, Jackson, Fastjson, Apache Commons BCEL, Apache HttpClient, Angus Mail, JDK HttpServer, Lettuce, Jodd, XMLWriter and re-enables many "patched" CVEs through WAF bypass.

🇺🇸|EnglishTranslated

Security & Compliancecrazymarky/pentest-skills

exploit-xss

Cross-site scripting (XSS) vulnerability detection and exploitation. Supports reflected XSS, stored XSS, DOM-based XSS, and blind XSS testing. Use this skill when user mentions XSS, cross-site scripting, script injection, or needs to test JavaScript injection in parameters, forms, headers, or DOM sources.

🇺🇸|EnglishTranslated

12 scripts/Attention