performing-web-application-penetration-test
Conducts thorough security assessments of web applications using OWASP guidelines and Burp Suite to identify vulnerabilities effectively.
Install this skill
or
53/100
Security score
The performing-web-application-penetration-test skill was audited on Jun 5, 2026 and we found 5 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
high line 98
Template literal with variable interpolation in command context
SourceSKILL.md
| 98 | - **Server-Side Template Injection (SSTI)**: Test with `{{7*7}}`, `${7*7}`, `<%= 7*7 %>` in parameters rendered by template engines |
medium line 95
Webhook reference - potential data exfiltration
SourceSKILL.md
| 95 | - **Server-Side Request Forgery (SSRF)**: Supply internal URLs (`http://169.254.169.254/latest/meta-data/`, `http://127.0.0.1:6379/`) in parameters that fetch external resources (webhooks, image URLs, |
critical line 97
Access to /etc/passwd
SourceSKILL.md
| 97 | - **XML External Entity (XXE)**: Submit XML payloads with external entity declarations (`<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>`) in XML upload or API endpoints |
low line 63
External URL reference
SourceSKILL.md
| 63 | - Enumerate endpoints using `ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://target.com/FUZZ -mc 200,301,302,403` |
low line 95
External URL reference
SourceSKILL.md
| 95 | - **Server-Side Request Forgery (SSRF)**: Supply internal URLs (`http://169.254.169.254/latest/meta-data/`, `http://127.0.0.1:6379/`) in parameters that fetch external resources (webhooks, image URLs, |
Scanned on Jun 5, 2026
View Security Dashboard