pentest-exploit-validation
This Claude Code skill validates vulnerability findings from pentest code reviews through structured exploitation attempts, using a four-level evidence system to classify each issue as EXPLOITED, POTENTIAL, or FALSE_POSITIVE. Use it after completing white-box code analysis to confirm actual exploitability of suspected vulnerabilities, requiring written authorization, isolated testing environments, and documented proof-of-concept techniques across injection, XSS, authentication, and authorization attack vectors.
git clone --depth 1 https://github.com/jd-opensource/JoySafeter /tmp/pentest-exploit-validation && cp -r /tmp/pentest-exploit-validation/skills/pentest-exploit-validation ~/.claude/skills/pentest-exploit-validationSKILL.md
# Pentest Exploit Validation ## Purpose Validate vulnerability findings through proof-driven exploitation using Shannon's 4-level evidence system. Consumes the exploitation queue from white-box code review, attempts structured exploitation with bypass exhaustion, collects mandatory evidence per vulnerability type, and classifies each finding as EXPLOITED, POTENTIAL, or FALSE_POSITIVE. ## Prerequisites ### Authorization Requirements - **Written authorization** with explicit scope for active exploitation testing - **Exploitation queue JSON** from pentest-whitebox-code-review output - **Test accounts** at multiple privilege levels for authz testing - **Data exfiltration approval** — confirm acceptable proof-of-concept scope - **Rollback plan** for any data-mutating exploits ### Environment Setup - sqlmap for automated SQL injection exploitation - Burp Suite Professional with Repeater, Intruder, and Turbo Intruder - curl for manual HTTP request crafting - Playwright for browser-based exploitation (XSS, CSRF) - nuclei with custom templates for automated validation - Isolated testing environment or explicit production testing approval ## Core Workflow 1. **Queue Intake**: Parse exploitation queue JSON, validate schema, prioritize by confidence score and impact severity. Group findings by vulnerability type for parallel exploitation. 2. **Injection Exploitation**: Confirm injectable parameter → fingerprint backend (DB type, OS) → enumerate databases/tables → demonstrate data exfiltration with minimal footprint. 3. **XSS Exploitation**: Graph traversal from source → processing → sanitization → sink. Craft context-appropriate payload, demonstrate session hijack or DOM manipulation. 4. **Auth Exploitation**: Attack authentication weaknesses → demonstrate account takeover via credential stuffing, token forgery, or session hijack. 5. **Authz Exploitation**: Horizontal access (cross-user data) → vertical escalation (admin functions) → workflow bypass (state manipulation). 6. **SSRF Exploitation**: Internal service access → cloud metadata retrieval (169.254.169.254) → internal network reconnaissance. 7. **Bypass Exhaustion**: For each finding, attempt 3 initial payloads → if blocked, escalate to 8-10 bypass variations → if still blocked, deploy automated tool variants. 8. **Impact Escalation**: Escalate from proof-of-concept to real impact demonstration — data exfiltration, session hijacking, or remote code execution. 9. **Evidence Collection**: Collect mandatory evidence per vulnerability type using per-type checklists. 10. **Classification**: Assign final classification — EXPLOITED, POTENTIAL, or FALSE_POSITIVE — based on 4-level proof system. ## 4-Level Proof System | Level | Description | Classification | |-------|-------------|---------------| | L1 | Weakness identified in code but not confirmed exploitable | POTENTIAL | | L2 | Partial bypass achieved but full exploitation not demonstrated | POTENTIAL | | L3 | Vulnerability confirmed with reproducible evidence | EXPLOITED | | L4 | Critical impact demonstrated (data exfil, RCE, account takeover) | EXPLOITED CRITICAL | ## Classification Criteria | Classification | Criteria | |---------------|----------| | EXPLOITED | Reproducible proof with evidence: HTTP request/response, extracted data, or demonstrated impact | | POTENTIAL | Code-level weakness confirmed but exploitation blocked by defense-in-depth or environment constraints | | FALSE_POSITIVE | Taint analysis flagged but manual review confirms effective sanitization or unreachable code path | ## Tool Categories | Category | Tools | Purpose | |----------|-------|---------| | SQL Injection | sqlmap, manual payloads | Automated and manual SQLi exploitation | | Request Crafting | Burp Repeater, curl | Manual HTTP request manipulation | | Fuzzing | Burp Intruder, Turbo Intruder | Payload variation and bypass testing | | Browser Exploitation | Playwright | XSS demonstration, session hijack | | Automation | nuclei, custom scripts | Template-based vulnerability validation | | Evidence Capture | Burp Logger, screenshot tools | Request/response logging and proof | ## References - `references/tools.md` - Tool function signatures and parameters - `references/workflows.md` - Exploitation workflows, evidence checklists, and classification tree
You MUST use this before any creative work - creating features, building components, adding functionality, or modifying behavior. Explores user intent, requirements and design before implementation.
Use when you have a written implementation plan to execute in a separate session with review checkpoints
OpenClaw 安全检测工具,基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性
OpenClaw 攻击模式检测工具,识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为,支持 MITRE ATT&CK 映射
Comprehensive PDF manipulation toolkit for extracting text and tables, creating new PDFs, merging/splitting documents, and handling forms. When Claude needs to fill in a PDF form or programmatically process, generate, or analyze PDF documents at scale.
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.