Summary
When you need to find ways into a web app, this covers the full attack surface. SQL injection with WAF bypasses, XSS in different contexts, SSRF for cloud metadata access, command injection with filter evasion, JWT attacks, GraphQL introspection, IDOR enumeration, and business logic flaws like negative quantities. The advanced section gets into HTTP request smuggling (CL.TE, TE.CL, H2.CL variants) and web cache poisoning techniques that most guides skip. It's comprehensive enough that you won't need to context switch between multiple references during an assessment. The payloads are copy-paste ready but assume you understand what you're doing and have authorization.
Install to Claude Code
npx -y skills add hypnguyen1209/offensive-claude --skill web-pentest --agent claude-codeInstalls into .claude/skills of the current project.
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →
Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →Files
SKILL.md
Select a file.
Featured
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →
