Skip to main content
Exécutez n'importe quel Skill dans Manus
en un clic
PentesterFlow
Profil créateur GitHub

PentesterFlow

Vue par dépôt de 11 skills collectés dans 1 dépôts GitHub.

skills collectés
11
dépôts
1
mis à jour
2026-06-01
carte des dépôts

Où se trouvent les skills

Principaux dépôts par nombre de skills collectés, avec leur part dans ce catalogue créateur et leur couverture métier.

explorateur de dépôts

Dépôts et skills représentatifs

deserialize
Analystes en sécurité de l'information

Insecure-deserialization playbook — fingerprint the language/format (Java serialized, .NET BinaryFormatter, Python pickle, PHP unserialize, Node serialize, YAML/JSON-with-types), then build a working gadget chain with ysoserial / ysoserial.net / phpggc / custom pickle. Use when you see serialized blobs (rO0/AC ED, base64 ViewState, PHP O:) or a parameter/cookie that deserializes user input.

2026-06-01
graphql
Analystes en sécurité de l'information

GraphQL pentest playbook — find the endpoint, dump the schema (introspection or field-suggestion fallback), then test for authorization gaps, query batching, alias overload, depth-based DoS, and SQLi/NoSQLi in resolver arguments. Use when the target exposes a /graphql endpoint, GraphiQL, Apollo, or accepts GraphQL queries.

2026-06-01
jwt
Analystes en sécurité de l'information

JWT attack playbook — algorithm confusion (alg=none, HS/RS confusion), kid path traversal/SQLi, jku/x5u SSRF, weak HS256 cracking, and embedded JWK trickery. Use when the target uses JWTs for auth (header.payload.signature).

2026-06-01
race
Analystes en sécurité de l'information

Race condition / TOCTOU playbook — limit overrun (one-time codes used twice, gift cards spent twice), single-packet attack (last-byte sync) to force parallel processing, and state-confusion races (file upload + read, order before payment). Use when timing-sensitive logic could be abused — one-time codes, coupons/gift cards, balance or limit checks, double-spend.

2026-06-01
recon
Analystes en sécurité de l'information

External recon playbook for a web target — subdomain enumeration, live-host probing, tech fingerprinting, and a first pass at content discovery. Use when the user gives you a root domain or apex and wants attack surface mapping.

2026-06-01
ssrf
Analystes en sécurité de l'information

Deep-dive SSRF testing — bypass filters, hit cloud metadata, chain to RCE/credential disclosure. Use when a target parameter clearly accepts a URL or hostname.

2026-06-01
ssti
Développeurs de logiciels

Server-Side Template Injection — fingerprint the engine first (Jinja2 / Twig / Velocity / Freemarker / ERB / Smarty / Mako / Handlebars / Pug), then escalate the engine-specific primitive to RCE or sandbox escape. Use when user input is reflected through a template engine (Jinja2/Twig/Velocity/Freemarker/ERB/Smarty/Mako/Handlebars/Pug) or {{7*7}} evaluates to 49.

2026-06-01
supabase
Développeurs de logiciels

Supabase / PostgREST Row-Level-Security playbook — pull the anon (or leaked service_role) key out of the frontend JS, map tables from the auto-generated OpenAPI spec, test anonymous RLS READ disclosures (PII/secret leaks), and anonymous RLS WRITE abuse (insert/update/delete — e.g. forging "certificate"/verification/entitlement rows the app trusts). Use when the target's frontend talks to *.supabase.co, ships an anon JWT, or you see /rest/v1/, /auth/v1/, /storage/v1/ requests.

2026-06-01
Affichage des 8 principaux skills collectés sur 11 dans ce dépôt.
1 dépôts affichés sur 1
Tous les dépôts sont affichés