Skip to main content
تشغيل أي مهارة في Manus
بنقرة واحدة
PentesterFlow
ملف منشئ GitHub

PentesterFlow

عرض على مستوى المستودعات لـ 11 skills مجمعة عبر 1 مستودعات GitHub.

skills مجمعة
11
مستودعات
1
محدث
2026-06-01
خريطة المستودعات

أين توجد skills

أهم المستودعات حسب عدد skills المجمعة، مع حصتها من كتالوج هذا المنشئ وانتشارها المهني.

مستكشف المستودعات

المستودعات و skills الممثلة

deserialize
محللو أمن المعلومات

Insecure-deserialization playbook — fingerprint the language/format (Java serialized, .NET BinaryFormatter, Python pickle, PHP unserialize, Node serialize, YAML/JSON-with-types), then build a working gadget chain with ysoserial / ysoserial.net / phpggc / custom pickle. Use when you see serialized blobs (rO0/AC ED, base64 ViewState, PHP O:) or a parameter/cookie that deserializes user input.

2026-06-01
graphql
محللو أمن المعلومات

GraphQL pentest playbook — find the endpoint, dump the schema (introspection or field-suggestion fallback), then test for authorization gaps, query batching, alias overload, depth-based DoS, and SQLi/NoSQLi in resolver arguments. Use when the target exposes a /graphql endpoint, GraphiQL, Apollo, or accepts GraphQL queries.

2026-06-01
jwt
محللو أمن المعلومات

JWT attack playbook — algorithm confusion (alg=none, HS/RS confusion), kid path traversal/SQLi, jku/x5u SSRF, weak HS256 cracking, and embedded JWK trickery. Use when the target uses JWTs for auth (header.payload.signature).

2026-06-01
race
محللو أمن المعلومات

Race condition / TOCTOU playbook — limit overrun (one-time codes used twice, gift cards spent twice), single-packet attack (last-byte sync) to force parallel processing, and state-confusion races (file upload + read, order before payment). Use when timing-sensitive logic could be abused — one-time codes, coupons/gift cards, balance or limit checks, double-spend.

2026-06-01
recon
محللو أمن المعلومات

External recon playbook for a web target — subdomain enumeration, live-host probing, tech fingerprinting, and a first pass at content discovery. Use when the user gives you a root domain or apex and wants attack surface mapping.

2026-06-01
ssrf
محللو أمن المعلومات

Deep-dive SSRF testing — bypass filters, hit cloud metadata, chain to RCE/credential disclosure. Use when a target parameter clearly accepts a URL or hostname.

2026-06-01
ssti
مطوّرو البرمجيات

Server-Side Template Injection — fingerprint the engine first (Jinja2 / Twig / Velocity / Freemarker / ERB / Smarty / Mako / Handlebars / Pug), then escalate the engine-specific primitive to RCE or sandbox escape. Use when user input is reflected through a template engine (Jinja2/Twig/Velocity/Freemarker/ERB/Smarty/Mako/Handlebars/Pug) or {{7*7}} evaluates to 49.

2026-06-01
supabase
مطوّرو البرمجيات

Supabase / PostgREST Row-Level-Security playbook — pull the anon (or leaked service_role) key out of the frontend JS, map tables from the auto-generated OpenAPI spec, test anonymous RLS READ disclosures (PII/secret leaks), and anonymous RLS WRITE abuse (insert/update/delete — e.g. forging "certificate"/verification/entitlement rows the app trusts). Use when the target's frontend talks to *.supabase.co, ships an anon JWT, or you see /rest/v1/, /auth/v1/, /storage/v1/ requests.

2026-06-01
عرض أهم 8 من أصل 11 skills مجمعة في هذا المستودع.
عرض 1 من أصل 1 مستودعات
تم تحميل كل المستودعات