npx claudepluginhub jamie-bitflight/claude_skills --plugin daselThis skill uses the workspace's default tool permissions.
<when_to_use>
Provides Dasel v3 selectors to query Spring bean factory XML for bean discovery, dependency wiring, JMS destination mapping, property injection extraction, and cross-bean reference tracing.
Tests web apps for XML injection vulnerabilities including XXE (file read, blind, SSRF), XPath injection, and entity attacks to detect data leaks. For pentesting XML endpoints like SOAP APIs and file uploads.
Guides pentesting for deserialization (Java ysoserial, Python pickle, PHP unserialize, .NET BinaryFormatter, Ruby Marshal), XXE payloads, and file upload bypasses.
Share bugs, ideas, or general feedback.
<when_to_use>
Load this skill when querying a web.xml deployment descriptor — enumerating servlets, inspecting filter chains, listing listeners, extracting context parameters, or finding servlets by init-param value.
</when_to_use>
Domain skill for querying Tomcat web.xml files using dasel v3. Always use -i xml explicitly. XML attributes use - prefix in dasel friendly mode.
# All servlet names
dasel -f web.xml -i xml 'web-app.servlet.map(servlet-name)'
# Count servlet definitions
dasel -f web.xml -i xml 'len(web-app.servlet)'
# Find filters by class pattern (e.g., Security filters)
dasel -f web.xml -i xml 'web-app.filter.filter(filter-class ~ ".*Security.*")'
Replace Security with any class name fragment.
# Count listener definitions
dasel -f web.xml -i xml 'len(web-app.listener)'
# All context-param names
dasel -f web.xml -i xml 'web-app.context-param.map(param-name)'
# Find servlets with a specific init-param name — filters parent collection by testing child length > 0
dasel -f web.xml -i xml 'web-app.servlet.filter(init-param.filter(param-name == "debug").len($this) > 0).map(servlet-name)'
Replace "debug" with the target param-name value.
All selectors require the full command prefix: dasel -f web.xml -i xml '<selector>'