বিজ্ঞাপন[ For iPhone / iPad ] 🔥 Nugget-এর অবিশ্বাস্য ইন্টারেক্টিভ ওয়ালপেপার। এরকম আগে কখনো দেখেননি!
skills.homes logoskills.homescapability registry
home/categories/testing-security
domain cluster

Testing & Security

QA, penetration testing, and code quality.

9326টি স্কিলall categories
sorting
stars
current ordering strategy
query
all entries
refine the visible subset
code-quality
1.1K

golang-modernize

Continuously modernize Golang code to use the latest language features, standard library improvements, and idiomatic patterns. Use this skill whenever writing, reviewing, or refactoring Go code to ensure it leverages modern Go idioms. Also use when the user asks about Go upgrades, migration, modernization, deprecation, or when modernize linter reports issues. Also covers tooling modernization: linters, SAST, AI-powered code review in CI, and modern development practices. Trigger this skill proactively when you notice old-style Go patterns that have modern replacements.

samber
samber
testing-security
open
security
1.1K

golang-security

Security best practices and vulnerability prevention for Golang. Covers injection (SQL, command, XSS), cryptography, filesystem safety, network security, cookies, secrets management, memory safety, and logging. Apply when writing, reviewing, or auditing Go code for security, or when working on any risky code involving crypto, I/O, secrets management, user input handling, or authentication. Includes configuration of security tools.

samber
samber
testing-security
open
testing
1.1K

golang-stretchr-testify

Comprehensive guide to stretchr/testify for Golang testing. Covers assert, require, mock, and suite packages in depth. Use whenever writing tests with testify, creating mocks, setting up test suites, or choosing between assert and require. Essential for testify assertions, mock expectations, argument matchers, call verification, suite lifecycle, and advanced patterns like Eventually, JSONEq, and custom matchers. Trigger on any Go test file importing testify.

samber
samber
testing-security
open
testing
1.1K

golang-testing

Provides a comprehensive guide for writing production-ready Golang tests. Covers table-driven tests, test suites with testify, mocks, unit tests, integration tests, benchmarks, code coverage, parallel tests, fuzzing, fixtures, goroutine leak detection with goleak, snapshot testing, memory leaks, CI with GitHub Actions, and idiomatic naming conventions. Use this whenever writing tests, asking about testing patterns or setting up CI for Go projects. Essential for ANY test-related conversation in Go.

samber
samber
testing-security
open
testing
1.1K

qtpass-fixing

Bug fixing workflow for QtPass - find, fix, test, PR

IJHack
IJHack
testing-security
open
testing
1.1K

qtpass-testing

Comprehensive guide for QtPass unit testing with Qt Test

IJHack
IJHack
testing-security
open
testing
1.1K

experiment

Plan and run a series of training experiments, then compare results

rohanpsingh
rohanpsingh
testing-security
open
security
1.1K

cloud-iam-audit

云 IAM 权限审计与提权。当获取了云平台凭据(AWS AK/SK、Azure SPN、GCP SA、腾讯云 SecretId/SecretKey)需要评估权限范围和提权路径时使用。覆盖 AWS/Azure/GCP/腾讯云的 IAM/CAM 策略分析、常见提权路径(PassRole、AssumeRole、Lambda/SCF 提权)、跨账号攻击、CloudTrail/CloudAudit 规避。发现任何云凭据、AK/SK、SecretId/SecretKey 时都应使用此技能

wgpsec
wgpsec
testing-security
open
security
1.1K

cloud-metadata

云元数据利用。当通过 SSRF 或已获取的 shell 可以访问云实例元数据服务时使用。覆盖 AWS/Azure/GCP/阿里云/腾讯云的元数据端点、IAM/CAM 凭据提取、IMDSv2 绕过、从元数据到云服务枚举的完整攻击链。发现任何 SSRF 场景、内网可访问 169.254.169.254 或 100.100.100.200 的场景都应使用此技能

wgpsec
wgpsec
testing-security
open
security
1.1K

k8s-ingress-nightmare

IngressNightmare (CVE-2025-1974) — Kubernetes Ingress-NGINX Admission Controller 未授权 RCE。当目标 K8s 集群使用 ingress-nginx、发现 443/8443 端口的 admission webhook、或通过 Pod 网络可达 admission controller 时使用。涵盖漏洞原理、利用条件判断、PoC 使用、后续横向移动。

wgpsec
wgpsec
testing-security
open
security
1.1K

k8s-istio-bypass

Istio Service Mesh 安全策略绕过。当目标 K8s 集群使用 Istio、请求被 AuthorizationPolicy 拒绝(403 RBAC denied)、或发现 Envoy sidecar 时使用。核心手法:UID 1337 绕过 Envoy。任何在 K8s 中遇到 Istio 策略阻拦、Service Mesh 限制、或 Envoy 相关安全控制的场景都应使用此技能

wgpsec
wgpsec
testing-security
open
security
1.1K

k8s-webhook-abuse

Kubernetes Admission Webhook 滥用与策略引擎利用。当集群存在 Kyverno/OPA Gatekeeper/自定义 Webhook、DNS 扫描发现 kyverno-svc 或 gatekeeper 服务、或需要从 Mutating Webhook 提取注入的 Secret 时使用。核心手法:伪造 AdmissionReview 请求。任何在 K8s 中发现 Webhook 服务或策略引擎的场景都应使用此技能

wgpsec
wgpsec
testing-security
open
security
1.1K

ctf-crypto

CTF 密码学攻击技术。用于 RSA/AES/ECC/格密码/PRNG/ZKP/古典密码等 CTF 加密类挑战。当遇到加密数据需要破解、密码学相关 CTF 题目、需要分析加密算法弱点、或识别到密文/公钥/密码学参数时使用。覆盖从古典替换密码到现代公钥密码、椭圆曲线、格攻击、零知识证明等全方位密码学攻防技术

wgpsec
wgpsec
testing-security
open
security
1.1K

ctf-pwn

CTF 二进制漏洞利用(Pwn)技术。当挑战提供 ELF/PE 可执行文件并开放 nc 端口、存在栈溢出/堆溢出/格式化字符串/UAF 漏洞时使用。覆盖 ROP 链构造、堆利用(tcache/House of Orange/Spirit)、内核利用、seccomp 沙箱逃逸、pwntools 自动化利用脚本编写

wgpsec
wgpsec
testing-security
open
security
1.1K

evasion-technique-integrate

免杀技术整合:将免杀技术(API 混淆、字符串加密、Syscall、反调试、AMSI 绕过等)植入已有 Loader 代码。当需要向已有 Loader 添加新加载技术、或现有 Loader 被检测到需要替换组件时使用。先读 references/loader-components-db.json 确认组件库中有你需要的技术,再执行集成

wgpsec
wgpsec
testing-security
open
security
1.1K

cache-poisoning-smuggling

Web 缓存投毒和 HTTP 请求走私。当目标使用 CDN/反向代理/缓存层(Cloudflare/Varnish/Nginx)、或有前后端服务器架构差异时使用。通过操纵缓存键或利用 HTTP 解析差异来投毒缓存或绕过安全控制。高级 Web 攻击技术

wgpsec
wgpsec
testing-security
open
security
1.1K

cors-misconfiguration

CORS 跨域配置错误检测与利用。当目标 API 返回 Access-Control-Allow-Origin 响应头、需要跨域访问敏感数据、或发现 Origin 头被反射回响应中时使用。可导致用户敏感数据窃取

wgpsec
wgpsec
testing-security
open
security
1.1K

csrf-methodology

CSRF 跨站请求伪造检测与利用。当目标表单/API 缺少 CSRF Token、使用 Cookie 认证、有敏感操作(修改密码/转账/绑定邮箱)时使用。通过诱导受害者点击链接以其身份执行操作

wgpsec
wgpsec
testing-security
open
security
1.1K

default-cred-sweep

默认口令和弱密码批量检测。当端口扫描确认目标有登录入口(Web管理后台/RDP/SSH/数据库/IoT设备)、且尚未测试默认凭据时使用。包含按服务分类的默认凭据字典、智能爆破策略、锁定规避、凭据复用链。先扫端口确认服务,再开始测试——不要在未确认服务前盲目爆破

wgpsec
wgpsec
testing-security
open
security
1.1K

deserialization-methodology

不安全反序列化漏洞利用。当发现 Base64 编码的 Cookie/参数、Python pickle 数据、PHP serialized 字符串(O:4:...)、Java serialized 数据(rO0AB...)、Node.js 原型链污染时使用。可直接获取 RCE

wgpsec
wgpsec
testing-security
open
security
1.1K

idor-methodology

IDOR 不安全直接对象引用检测与利用。当 API/URL 中出现用户 ID、订单号、文件名等可预测标识符,或需要测试水平越权(访问他人数据)和垂直越权(获取管理员权限)时使用。覆盖 ID 遍历、绕过技巧(参数污染/编码/方法切换)、多步 IDOR 链、文件资源 IDOR、批量操作越权、间接引用枚举、框架特征利用、UUID 猜测、响应对比分析、写操作越权、JWT Claims 篡改。发现 API 端点后务必加载本 skill 检查越权问题

wgpsec
wgpsec
testing-security
open
security
1.1K

jwt-attack-methodology

JWT Token 攻击方法论。当响应头/Cookie 中出现 eyJ 开头的字符串、Authorization: Bearer token、API 返回 token/access_token 字段时使用。包含 alg:none 绕过、弱密钥爆破(hashcat/john/c-jwt-cracker/jwt_tool 完整工具链)、Claims 篡改提权、RS256→HS256 算法混淆、kid 注入(SQL/路径穿越/命令注入)、jku/x5u 替换

wgpsec
wgpsec
testing-security
open
security
1.1K

oauth-sso-attack

OAuth 2.0 / SSO / OpenID Connect 认证流程攻击。当目标有「使用 Google/GitHub/微信 登录」按钮、redirect_uri 参数、authorization_code 流程、或 /.well-known/openid-configuration 端点时使用。覆盖 redirect_uri 劫持、state 缺失 CSRF、token 泄露、scope 提升

wgpsec
wgpsec
testing-security
open
security
1.1K

privilege-escalation-web

Web 应用层权限提升。当 Web 应用存在用户注册/登录、角色权限管理、API 参数传输用户身份信息时使用。覆盖 Mass Assignment(批量赋值)攻击、角色/权限字段注入、HTTP 方法/Header 绕过、Cookie/Session 篡改。注册后立即检查普通用户能否越权访问管理员功能——这是第一优先级

wgpsec
wgpsec
testing-security
open
Previous
Page 102 / 389
Next