offensive-fast-checking

# SKILL: Fast Testing Checklist

## Metadata
- **Skill Name**: fast-checking
- **Folder**: offensive-fast-checking
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/fast-checking.md

## Description
Speed-optimized offensive checklist for rapid assessment: quick-win vulnerability patterns, fast recon shortcuts, automated scanner configurations, and triage shortcuts. Use for time-boxed assessments, CTF-speed engagements, or initial rapid surface mapping.

## Trigger Phrases
Use this skill when the conversation involves any of:
`fast check, quick recon, rapid assessment, quick wins, fast triage, speed checklist, time-boxed, CTF, fast scan, quick vulnerability`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# Fast Testing Checklist

A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file

- use [lostsec](https://lostsec.xyz/)
- maintain a personal payloads repo synced with BLNS/SecLists; keep a tiny “golden” set for smoke tests

## Reconnaissance and Analysis

- [ ] Map visible content (Manually)
  - [ ] Perform Functionality Mapping by browsing the application thoroughly.
  - [ ] Check API Documentation (Public, Swagger/OpenAPI).
- [ ] Discover hidden & default content (Directory/File Bruteforce)
- [ ] Test for debug parameters
- [ ] Identify data entry points (Discover Dynamic Content in Burp Pro)
- [ ] Identify the technologies used (Wappalyzer or similiar)
- [ ] Research existing vulnerabilities in technology (Google ++)
- [ ] Gather wordlists for specific technology (Assetnote, SecList and Naughty Strings)
- [ ] Map the attack surface automatically (e.g Burp spider)
- [ ] Identify all javascript files for later analysis (in your proxy)
- [ ] Scope Discovery (DNS, IPs, Subdomains)
- [ ] Capture API contracts (OpenAPI/GraphQL) and diff against observed traffic
- [ ] Identify gateways/WAF/CDN (headers, cookies, control pages)
- [ ] Identify cache layers and behaviors (vary keys, CDN rules, edge rewrites)

### Find Origin IP behind CDN/WAF

- [ ] Confirm WAF presence (IP Org check, headers, cookies, block pages).
- [ ] Check Historical DNS records (SecurityTrails, DNSDumpster).
- [ ] Enumerate Subdomains & check IPs (focus on dev/staging).
- [ ] Analyze SSL Certificates (Censys, Shodan - check SANs).
- [ ] Analyze Email Headers from target (Received, X-Originating-IP).
- [ ] Test potential IPs directly (`curl --resolve example.com:443:<IP> https://example.com/`).
- [ ] Verify potential origin IPs (compare content, headers, certs).
- [ ] Probe HTTP/3 Alt‑Svc leakage and SNI/Host mismatches.

## Access Control Testing

### Authentication

- [ ] Test password quality rules
  - [ ] Minimum length, complexity, history, common password checks?
  - [ ] Paste functionality disabled?
- [ ] Test for username enumeration
  - [ ] Analyze response time, error messages, status codes for valid/invalid users.
  - [ ] Check account recovery flow for enumeration.
- [ ] Test resilience to password guessing
  - [ ] Is there rate limiting on login attempts?
  - [ ] Is there account lockout mechanism?
- [ ] Test any account recovery function
  - [ ] Weak security questions?
  - [ ] Host header injection in reset emails?
  - [ ] Token leakage via Referer?
  - [ ] Lack of token validation?
  - [ ] Predictable reset tokens?
- [ ] Test any "remember me" function
  - [ ] Analyze token entropy, expiration, security attributes.
- [ ] Test any impersonation function
- [ ] Test username uniqueness
  - [ ] Case sensitivity issues? (`admin` vs `Admin`)
  - [ ] Whitespace trimming issues?
- [ ] Check for unsafe distribution of credentials
- [ ] Test for fail-open conditions
- [ ] Test any multi-stage mechanisms
  - [ ] MFA bypasses (enrollment skip, verification manipulation, brute-force codes)?
  - [ ] Can MFA be disabled easily?
  - [ ] Parameter pollution vulnerabilities?
  - [ ] Test OAuth Flows (see dedicated section).
  - [ ] Test JWT implementations (see dedicated section).
  - [ ] Check for API Key leakage (source code, client-side JS, mobile apps).
  - [ ] Test API Key usage (URL, Header, Cookie).
  - [ ] Test HTTP Basic Auth strength.
  - [ ] Test HMAC signature implementation if used.
  - [ ] Validate DPoP/mTLS token binding if advertised.
  - [ ] Refresh‑token rotation and reuse detection.
  - [ ] Passkeys/WebAuthn flows including recovery/fallbacks.

### Session handling

- [ ] Test tokens for meaning
- [ ] Test tokens for predictability
- [ ] Check for insecure transmission of tokens
  - [ ] Missing Secure flag on cookies?
  - [ ] Sent over HTTP?
- [ ] Check for disclosure of tokens in logs and URL params
- [ ] Check mapping of tokens to sessions(can they be reused?)
- [ ] Check session termination
  - [ ] Does logout fully invalidate the session token?
  - [ ] Is there session rotation on login/logout/privilege change?
  - [ ] Check session timeout enforcement (client/server).
  - [ ] Token reuse across devices; device binding enforced?
  - [ ] Cookie partitioning/CHIPS behavior in embedded/3rd‑party contexts.
- [ ] Check for session fixation
  - [ ] Are session tokens retained pre/post-authentication?
  - [ ] Can a specific token be forced on a user?
- [ ] Check for cross-site request forgery
  - [ ] Presence and validation of Anti-CSRF tokens?
  - [ ] Use of SameSite cookie attribute?
    - Check if `Lax` or `Strict`. `None` requires `Secure`.
  - [ ] Check Referer/Origin header validation.
  - [ ] Try removing token parameter.
  - [ ] Try switching request method (POST -> GET).
  - [ ] Try changing Content-Type.
  - [ ] Use Burp CSRF PoC generator.
  - [ ] Test login CSRF and O