pentest-recon-attack-surface
# Pentest Recon Attack Surface This Claude Code skill performs comprehensive white-box attack surface mapping by correlating external network scans, authenticated browser exploration at multiple privilege levels, and source code analysis. It produces a structured endpoint inventory with authorization metadata, role architecture definitions, and prioritized authorization vulnerability candidates suitable for downstream code review and exploitation testing.
git clone --depth 1 https://github.com/jd-opensource/JoySafeter /tmp/pentest-recon-attack-surface && cp -r /tmp/pentest-recon-attack-surface/skills/pentest-recon-attack-surface ~/.claude/skills/pentest-recon-attack-surfaceSKILL.md
# Pentest Recon Attack Surface ## Purpose Perform comprehensive attack surface mapping by correlating three data sources: external network scans, authenticated browser exploration, and source code analysis. Produces a structured endpoint inventory with authorization metadata, role/privilege architecture, and prioritized authorization vulnerability candidates for downstream code review and exploitation. ## Prerequisites ### Authorization Requirements - **Written authorization** with explicit scope for reconnaissance and source code access - **Source code access** to the target application (white-box engagement) - **Test accounts** at every privilege level (anonymous, user, admin, service) - **Network scan approval** — confirm acceptable scan intensity with target owner ### Environment Setup - nmap, subfinder, httpx, whatweb for external reconnaissance - Playwright with authenticated browser contexts - katana or gospider for web crawling - ffuf for content discovery - semgrep and ripgrep for source code analysis - Access to deployment configs (Dockerfile, docker-compose, k8s manifests) ## Core Workflow 1. **Technology Fingerprinting**: Run whatweb + httpx to identify frameworks, languages, server versions, WAF presence, and response header signatures. 2. **External Scan Correlation**: Execute nmap service scan + subfinder subdomain enumeration. Cross-reference discovered services against deployment configs (docker-compose ports, k8s service definitions) to identify exposed vs internal-only services. 3. **Interactive Browser Exploration**: Authenticated Playwright crawl at each privilege level. Capture all XHR/fetch requests, form submissions, WebSocket connections, and dynamic route transitions. Record request/response pairs with auth context. 4. **Route Mapper**: Parse all backend route definitions from source code with file:line pointers. Extract HTTP method, path pattern, middleware chain, and handler function for every endpoint. 5. **Authorization Checker**: For each route, trace the middleware chain to identify auth/authz enforcement. Flag endpoints missing authentication middleware or with inconsistent authorization patterns. 6. **Input Validator**: Analyze validation logic per parameter — identify parameters with no server-side validation, client-only validation, or incomplete validation (e.g., type check but no range check). 7. **Session Handler**: Trace token lifecycle from issuance through validation to expiry. Map session storage mechanism, token rotation policy, and logout invalidation behavior. 8. **Authorization Architecture**: Synthesize role definitions, permission assignments, and privilege lattice from source code. Identify horizontal/vertical/workflow authorization vulnerability candidates. ## Output Deliverables | Deliverable | Description | |-------------|-------------| | API Endpoint Inventory | Table: method, path, auth_required, roles_allowed, validation_summary, file:line | | Network Interaction Map | External services, internal services, exposed ports, subdomain inventory | | Role & Privilege Architecture | Role hierarchy, permission matrix, privilege escalation paths | | Authorization Vulnerability Candidates | Prioritized list of endpoints with suspected authz gaps | | Session Architecture | Token type, storage, rotation, expiry, invalidation behavior | ## Tool Categories | Category | Tools | Purpose | |----------|-------|---------| | Fingerprinting | whatweb, httpx, wappalyzer | Technology and framework identification | | Network Recon | nmap, subfinder, amass | Service discovery and subdomain enumeration | | Web Crawling | Playwright, katana, gospider | Authenticated crawling and dynamic exploration | | Content Discovery | ffuf, feroxbuster | Hidden endpoint and directory discovery | | Code Analysis | semgrep, ripgrep, ast-grep | Route extraction and middleware tracing | | Config Analysis | manual review | Deployment config correlation | ## References - `references/tools.md` - Tool function signatures and parameters - `references/workflows.md` - Reconnaissance workflow definitions and correlation procedures
You MUST use this before any creative work - creating features, building components, adding functionality, or modifying behavior. Explores user intent, requirements and design before implementation.
Use when you have a written implementation plan to execute in a separate session with review checkpoints
OpenClaw 安全检测工具,基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性
OpenClaw 攻击模式检测工具,识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为,支持 MITRE ATT&CK 映射
Comprehensive PDF manipulation toolkit for extracting text and tables, creating new PDFs, merging/splitting documents, and handling forms. When Claude needs to fill in a PDF form or programmatically process, generate, or analyze PDF documents at scale.
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.