ssrf AI Agent Skills
Browse 30 skills related to ssrf
AWS Penetration Testing
This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.
AWS Penetration Testing
This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.
openclaw-sec
AI Agent Security Suite - Real-time protection against prompt injection, command injection, SSRF, path traversal, secrets exposure, and content policy violations
clawdefender
Security scanner and input sanitizer for AI agents. Detects prompt injection, command injection, SSRF, credential exfiltration, and path traversal attacks. Use when (1) installing new skills from ClawHub, (2) processing external input like emails, calendar events, Trello cards, or API responses, (3) validating URLs before fetching, (4) running security audits on your workspace. Protects agents from malicious content in untrusted data sources.
ssrf-testing
Professional skills and methodologies for SSRF server-side request forgery testing
ssrf
服务端请求伪造漏洞检测与利用。当目标存在 URL 参数、远程文件加载、Webhook、PDF 生成、URL 预览功能时使用。
xxe-testing
Validate XML External Entity (XXE) injection vulnerabilities including file disclosure, SSRF, denial of service, and blind XXE via out-of-band channels. Test by injecting malicious XML with external entity references into endpoints that parse XML. Use when testing CWE-611 (XXE), CWE-827 (Improper Control of Document Type Definition), or related XML parsing vulnerabilities.
security-practices
Security practices including secrets management, input validation, SSRF prevention, and production hardening. Use for security-sensitive code.
pentest
Penetration testing orchestrator that coordinates specialized attack agents. Provides attack indexes, methodology frameworks, and documentation. Execution delegated to specialized agents (SQL Injection, XSS, SSRF, etc.). Use for engagement planning and attack coordination.
CTF Web Solver
当用户正在进行 CTF 比赛或练习,遇到 Web 类型题目时触发此 Skill。 适用场景包括: - 用户描述了 SQL 注入、XSS、SSRF、SSTI、XXE、文件包含、命令执行等 Web 安全问题 - 用户需要进行信息搜集、目录扫描、端口扫描等渗透前期工作 - 用户遇到 PHP 特性利用、反序列化、JWT 伪造等高级攻击场景 - 用户提及 "CTF"、"Web"、"渗透"、"注入"、"绕过"、"漏洞" 等关键词 - 用户需要分析 Java 代码审计、区块链安全、组件漏洞利用等问题 - 用户需要构造 payload、编写 exploit、分析 WAF 绕过策略
AWS Penetration Testing
This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.
api-security
1. Broken Object Level Authorization (BOLA) - API fails to validate user access to objects 2. Broken Authentication - Weak or missing authentication mechanisms 3. Broken Object Property Level Authorization - Missing field-level access control 4. Unrestricted Resource Consumption - No rate limiting or throttling 5. Broken Function Level Authorization - Missing authorization checks on endpoints 6. Unrestricted Access to Sensitive Business Flows - Automated abuse of legitimate workflows 7. Server Side Request Forgery (SSRF) - API accepts URLs without validation 8. Security Misconfiguration - Insecure default configs, verbose errors 9. Improper Inventory Management - Undocumented/deprecated APIs in production 10. Unsafe Consumption of APIs - Trusting third-party API data without validation
testing-web-applications
Test web applications for security vulnerabilities including SQLi, XSS, command injection, JWT attacks, SSRF, file uploads, XXE, and API flaws. Use when pentesting web apps, analyzing authentication, or exploiting OWASP Top 10 vulnerabilities.
AWS Penetration Testing
This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.
audit-security
Quick security audit checking for hardcoded secrets, SSRF vectors, injection points, dependency issues, and missing security headers
exploiting-server-side-request-forgery
Identifying and exploiting SSRF vulnerabilities to access internal services, cloud metadata, and restricted network resources during authorized penetration tests.
conducting-cloud-penetration-testing
This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP cloud environments. It covers understanding the shared responsibility model for testing scope, leveraging cloud-specific attack tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and reporting findings aligned to MITRE ATT&CK Cloud matrix.
performing-blind-ssrf-exploitation
Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, and timing analysis to access internal services and cloud metadata endpoints.
exploiting-api-injection-vulnerabilities
Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP injection, and Server-Side Request Forgery (SSRF) through API parameters, headers, and request bodies. The tester crafts malicious payloads targeting different backend technologies and injection contexts to extract data, execute commands, or access internal services. Maps to OWASP API8:2023 Security Misconfiguration and API7:2023 SSRF. Activates for requests involving API injection testing, SQLi in APIs, NoSQL injection, SSRF testing, or API input validation assessment.
testing-for-xxe-injection-vulnerabilities
Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.
testing-for-host-header-injection
Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web cache poisoning, SSRF, and virtual host routing manipulation risks.
AWS Penetration Testing
Use this skill when a user asks to 'pentest AWS', 'test AWS security', 'enumerate IAM', 'exploit cloud infrastructure', 'AWS privilege escalation', 'S3 bucket testing', 'metadata SSRF', 'Lambda exploitation', or needs guidance on Amazon Web Services security assessment.
Secure Code Review
Use when reviewing source code for security vulnerabilities, performing static analysis of a codebase, or auditing code for injection flaws, authentication issues, cryptographic weaknesses, insecure deserialization, SSRF, path traversal, memory-safety bugs, hardcoded secrets, or misconfigurations. Use when the user asks to find security bugs in code, assess code quality from a security perspective, review pull requests for security implications, perform dependency audits, run secrets scans, or review application configuration in source.
AWS Penetration Testing
This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment.
API Pentest
Targeted API penetration testing using a GTFO-first approach: find the highest-impact vulnerability fast, prove it with a PoC, and move on. Covers five attack families: AuthN/AuthZ, BOLA/IDOR, Input Validation, SSRF, and Business Logic. Each family is a loadable module with specific test cases, payloads, and PoC templates. Trigger when user mentions "API pentest", "API security test", "test this API", "find vulnerabilities in this endpoint", "BOLA", "IDOR", "broken auth", "injection test", "SSRF", "business logic flaw", "API attack", or shares API docs, Swagger/OpenAPI specs, Postman collections, or curl commands.
webapp-pentesting
Use when testing web applications for security vulnerabilities, performing webapp penetration tests, assessing OWASP Top 10 risks, testing for XSS/SQLi/CSRF/SSRF/IDOR/auth bypass, fuzzing web endpoints, scanning web servers, intercepting HTTP traffic, testing file uploads, evaluating session management, or when the target is a browser-accessible web application requiring comprehensive security assessment.
remediation
Helps fix security vulnerabilities identified by DryRunSecurity. Activates when the user shares a DryRunSecurity comment (from a GitHub PR or GitLab MR) or asks for help fixing any security finding including SQL injection, XSS, CSRF, SSRF, path traversal, command injection, authentication bypass, authorization flaws, and prompt injection. Researches authoritative sources and applies fixes grounded in the user's specific codebase context.
openclaw-sec
AI Agent Security Suite - Real-time protection against prompt injection, command injection, SSRF, path traversal, secrets exposure, and content policy violations
gcp-ssrf
Use this skill when users need to audit, detect, or remediate Server-Side Request Forgery (OWASP A10:2021) vulnerabilities on Google Cloud Platform. This includes auditing VPC firewall rules for overly permissive egress, reviewing VPC Service Controls perimeter configuration, deploying Cloud Armor rules to block SSRF attack patterns, and protecting against metadata endpoint abuse. Activate for SSRF protection, egress control, VPC firewall hardening, VPC Service Controls configuration, or OWASP A10 compliance.
security-best-practices
Secure programming best practices based on the OWASP Cheat Sheet Series. Use this skill whenever writing, reviewing, or discussing application security, input validation, authentication, authorization, cryptography, session management, error handling, logging, or any code that handles user input, secrets, HTTP headers, file uploads, or API endpoints. Also use when someone asks about preventing common vulnerabilities (XSS, SQL injection, CSRF, SSRF, etc.), securing infrastructure (Docker, Kubernetes, CI/CD), or reviewing dependencies for supply chain risks. This skill should be consulted proactively during code review and security audit tasks, even if the user does not explicitly mention security.