performing-web-application-penetration-test
Conducts thorough security testing of web applications using OWASP guidelines to identify vulnerabilities and enhance application security.
Install this skill
or
53/100
Security score
The performing-web-application-penetration-test skill was audited on Jun 13, 2026 and we found 5 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
high line 100
Template literal with variable interpolation in command context
SourceSKILL.md
| 100 | - **Server-Side Template Injection (SSTI)**: Test with `{{7*7}}`, `${7*7}`, `<%= 7*7 %>` in parameters rendered by template engines |
medium line 97
Webhook reference - potential data exfiltration
SourceSKILL.md
| 97 | - **Server-Side Request Forgery (SSRF)**: Supply internal URLs (`http://169.254.169.254/latest/meta-data/`, `http://127.0.0.1:6379/`) in parameters that fetch external resources (webhooks, image URLs, |
critical line 99
Access to /etc/passwd
SourceSKILL.md
| 99 | - **XML External Entity (XXE)**: Submit XML payloads with external entity declarations (`<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>`) in XML upload or API endpoints |
low line 65
External URL reference
SourceSKILL.md
| 65 | - Enumerate endpoints using `ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://target.com/FUZZ -mc 200,301,302,403` |
low line 97
External URL reference
SourceSKILL.md
| 97 | - **Server-Side Request Forgery (SSRF)**: Supply internal URLs (`http://169.254.169.254/latest/meta-data/`, `http://127.0.0.1:6379/`) in parameters that fetch external resources (webhooks, image URLs, |
Scanned on Jun 13, 2026
View Security DashboardGitHub Stars 603
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawtestingapisecurity-engineerqa-engineerbackend-developerdevops-sredata-analystdevelopmentdata analytics
xalgord/xalgorix