Web application penetration testing skill combining manual testing and automation tools to identify SQL injection, SSTI, and RCE vulnerabilities using Nmap, Feroxbuster, and Burpsuite.
git clone https://github.com/Ruhanyat-994/SecurityTesting_SQLI-SSTI-RCE.gitThis skill demonstrates a complete web application security assessment workflow using both manual testing techniques and automated tools. It covers the full pentest lifecycle including DNS mapping, service enumeration with Nmap, directory discovery with Feroxbuster, and vulnerability identification aligned with OWASP Top 10. The assessment focuses on identifying SQL injection, Server-Side Template Injection (SSTI), and Remote Code Execution (RCE) vulnerabilities in web applications. Security professionals and penetration testers use this skill to conduct comprehensive external web security evaluations and validate application security controls.
Add the target domain to /etc/hosts, then run Nmap for service discovery followed by Feroxbuster for directory enumeration. Use Burpsuite for manual testing of identified endpoints, focusing on input validation in login forms and dynamic pages. Combine tool output with manual testing approaches based on OWASP Top 10 methodology.
Identify SQL injection vulnerabilities in web login forms
Enumerate hidden directories and endpoints using automated scanning
Discover SSTI and RCE attack vectors in PHP applications
Perform initial footprinting and service discovery with Nmap
No install command available. Check the GitHub repository for manual installation instructions.
git clone https://github.com/Ruhanyat-994/SecurityTesting_SQLI-SSTI-RCECopy the install command above and run it in your terminal.
Launch Claude Code, Cursor, or your preferred AI coding agent.
Use the prompt template or examples below to test the skill.
Adapt the skill to your specific use case and workflow.
I need to test a web application for SQL Injection, Server-Side Template Injection (SSTI), and Remote Code Execution (RCE) vulnerabilities. The application is for [COMPANY] in the [INDUSTRY] sector. I have access to [DATA] such as API endpoints, user inputs, and server configurations. Can you provide a step-by-step guide to automate the testing process using tools like Burp Suite, OWASP ZAP, and custom scripts?
## Security Testing Guide for SQL Injection, SSTI, and RCE ### Step 1: SQL Injection Testing - **Tools**: Burp Suite, SQLmap - **Process**: 1. Identify input fields and parameters. 2. Use Burp Suite to intercept requests and inject SQL payloads. 3. Automate with SQLmap for comprehensive testing. ### Step 2: Server-Side Template Injection (SSTI) Testing - **Tools**: OWASP ZAP, Custom Scripts - **Process**: 1. Identify template engines used (e.g., Jinja2, Twig). 2. Inject template payloads to test for SSTI vulnerabilities. 3. Automate with OWASP ZAP and custom scripts. ### Step 3: Remote Code Execution (RCE) Testing - **Tools**: Metasploit, Custom Scripts - **Process**: 1. Identify potential entry points for RCE. 2. Use Metasploit to test for known vulnerabilities. 3. Automate with custom scripts for specific scenarios. ### Step 4: Reporting and Mitigation - **Tools**: Jira, Confluence - **Process**: 1. Document findings in Jira. 2. Create detailed reports in Confluence. 3. Provide mitigation strategies and patches.
Automate your browser workflows effortlessly
Get more done every day with Microsoft Teams – powered by AI
Automate security compliance and monitor real-time security posture seamlessly.
Automate your spreadsheet tasks with AI power
Agentic AI Workflow platform
Connected workspace for docs, wikis, and projects
Take a free 3-minute scan and get personalized AI skill recommendations.
Take free scan