Skip to main content

ctf-web

Provides techniques for web exploitation in CTF challenges, covering vulnerabilities like XSS, SQLi, and JWT attacks.

Install this skill

or
0/100

Security score

The ctf-web skill was audited on Feb 9, 2026 and we found 15 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.

Categories Tested

Security Issues

high line 90

Direct command execution function call

SourceSKILL.md
90<%- global.process.mainModule.require('child_process').execSync('id') %>
low line 90

Node child_process module reference

SourceSKILL.md
90<%- global.process.mainModule.require('child_process').execSync('id') %>
high line 61

Access to /etc/passwd

SourceSKILL.md
61../../../etc/passwd
high line 62

Access to /etc/passwd

SourceSKILL.md
62....//....//....//etc/passwd # Filter bypass
critical line 68

Access to /etc/passwd

SourceSKILL.md
68**Python footgun:** `os.path.join('/app/public', '/etc/passwd')` returns `/etc/passwd`
high line 115

Access to /etc/passwd

SourceSKILL.md
115<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
medium line 61

Path traversal pattern

SourceSKILL.md
61../../../etc/passwd
medium line 27

Access to .env file

SourceSKILL.md
27- Common paths: `/robots.txt`, `/sitemap.xml`, `/.well-known/`, `/admin`, `/api`, `/debug`, `/.git/`, `/.env`
medium line 75

Access to .env file

SourceSKILL.md
754. Key exposure — check `/api/getPublicKey`, `.env`, `/debug/config`
high line 54

Hex-encoded characters

SourceSKILL.md
54Filter bypass: hex `\x3cscript\x3e`, entities `&#60;script&#62;`, case mixing `<ScRiPt>`, event handlers.
high line 167

Hex-encoded characters

SourceSKILL.md
167- Lowercased response body → use hex escapes (`\x3c` for `<`)
low line 100

External URL reference

SourceSKILL.md
100DNS rebinding for TOCTOU: https://lock.cmpxchg8b.com/rebinder.html
low line 172

External URL reference

SourceSKILL.md
172sqlmap -u "http://target/?id=1" --dbs # SQLi
low line 173

External URL reference

SourceSKILL.md
173ffuf -u http://target/FUZZ -w wordlist.txt # Directory fuzzing
low line 176

External URL reference

SourceSKILL.md
176dalfox url http://target/?q=test # XSS
Scanned on Feb 9, 2026
View Security Dashboard
Installation guide →
GitHub Stars 106
Rate this skill
Categorydevelopment
UpdatedMay 21, 2026
openclawbackendsecurity-engineerbackend-developerdata-scientistdevelopmentdata analytics
majiayu000/claude-skill-registry