web-exploit-triagelisted

# Web Exploit Triage > **Scope-only discipline**: this skill classifies and assesses impact at pattern level. Ready-to-run exploits against production targets without explicit RoE authorization do not belong here. When a PoC is needed, build it in your own lab or in a customer-provided sandbox, not against live infra. ## When to use This skill sits between detection (what did you see?) and remediation (how do you fix it?). It classifies a web vuln candidate into an attack class, verifies exploit assumptions at pattern level, estimates impact, and hands off to the framework skill that delivers the fix. Triggers on: - A question like "is this JWT config exploitable", "could this be prototype pollution", "review this OAuth flow for bypass paths", "what is the impact of deserialization on this endpoint", "DOM XSS vs reflected XSS". - A finding from `recon-agent` (hypothesis candidate), `dast-workflow` (scanner output), or `security-review` (unclear-is-this-exploitable). - An incoming bug-bounty submission that needs technical triage before a payout decision. - A post-disclosure CVE with suspected reach into your own stack. ### When NOT (handoff) - Crafting new payloads or assembling chains → `payload-crafter`, `exploit-chain`. This skill verifies whether something is exploitable; those build concrete exploits. - AD-specific vulns (Kerberos, NTLM, delegation) → `ad-attacks`. - Dep-vuln triage → `cve-triage`. Overlap when a dep vuln is a web class (e.g. Jackson deserializati