common-pentest-methodology

$npx mdskill add HoangNguyen0403/agent-skills-standard/common-pentest-methodology

- **No Exploit = No Report**: Every finding requires reproducible Proof-of-Concept. Hypotheses without PoC are discarded. - **No Production Testing**: All dynamic probes target local/staging only. Confirm authorization before Phase 1. - **No Single-Platform Bias**: Assess backend, frontend, AND mobile surfaces when in-scope.

SKILL.md

.github/skills/common-pentest-methodologyView on GitHub ↗
---
name: common-pentest-methodology
description: PTES-aligned penetration testing methodology for backend, frontend, and mobile. Provides attack taxonomy, exploit techniques per vulnerability class, and platform-specific test matrices. Use when executing pentest workflow, planning security assessments, mapping attack surfaces, or building threat models.
metadata:
  triggers:
    keywords:
    - pentest
    - penetration test
    - red team
    - attack surface
    - threat model
    - PTES
    - security assessment
    - exploit
    - hacker score
---
# Penetration Testing Methodology (PTES-Aligned)

## **Priority: P0 (CRITICAL)**

## Always-Apply Rules

- **No Exploit = No Report**: Every finding requires reproducible Proof-of-Concept. Hypotheses without PoC are discarded.
- **No Production Testing**: All dynamic probes target local/staging only. Confirm authorization before Phase 1.
- **No Single-Platform Bias**: Assess backend, frontend, AND mobile surfaces when in-scope.

## Workflow

Load alongside `/pentest` workflow. Provides methodology backbone for all 7 phases.

1. **Scope** → Define test mode (whitebox/greybox/blackbox), platforms, exclusions.
2. **Recon** → Build asset inventory per platform. See [platform-recon](references/platform-recon.md).
3. **Threat Model** → Rank endpoints by risk. See [threat-modeling](references/threat-modeling.md).
4. **Analyze** → Run vulnerability matrix across all domains. Load `common-owasp`, `common-security-audit`, `common-dast-tooling`.
5. **Exploit** → Validate each finding with PoC. See [exploit-techniques](references/exploit-techniques.md).
6. **Post-Exploit** → Assess blast radius, lateral movement, privilege escalation.
7. **Report** → Audit-grade output with CVSS scoring. See [report-template](references/report-template.md) and [compliance-mapping](references/compliance-mapping.md).

## Platform Coverage Matrix

| Domain | Backend/API | Frontend/Web | Mobile (iOS/Android) |
|---|---|---|---|
| Injection | SQLi, CMDi, NoSQLi, LDAPi | Template injection, DOM sinks | Content provider SQLi, Intent injection |
| XSS | Response encoding | DOM XSS, `innerHTML`, framework bypasses | WebView `loadUrl`, JavaScript bridges |
| Auth | JWT, OAuth, Session, MFA | Token storage, session management | Keychain/Keystore, biometric bypass |
| AuthZ | BOLA/IDOR, BFLA, Mass Assignment | Client-side role gates | Local permission checks without server |
| SSRF | HTTP client + user URL | SSR with user-supplied URL | Custom scheme fetching arbitrary URLs |
| Business Logic | Race conditions, workflow bypass | Client-only validation, price tamper | IAP bypass, receipt validation skip |
| Crypto | Weak hash, missing TLS | HTTP calls, weak CSP | Missing cert pin, cleartext traffic |
| Config | CORS, debug mode, headers | Source maps, debug flags in prod | `debuggable=true`, ATS exceptions |
| Deps/SCA | `npm audit`, `pip-audit`, `cargo audit` | Bundle vuln analysis | `pod audit`, Gradle dependency scan |
| Secrets | Entropy + regex + liveness | Secrets in JS bundles | Keys in BuildConfig/Info.plist |
| LLM/AI | Prompt injection, excessive agency | Output to DOM sinks | Agent tools without confirmation |

## Continuous & Compliance Execution

- **Continuous Testing**: Execute Delta scans on PRs or Replay regression PoCs. See [continuous-pentest](references/continuous-pentest.md).
- **Compliance Mapping**: Map findings to SOC 2, ISO 27001, PCI DSS, or OWASP MASVS. See [compliance-mapping](references/compliance-mapping.md).

## Anti-Patterns

- **No "scan and dump"**: Raw tool output not a pentest. Correlate findings across SAST + DAST + manual.
- **No severity inflation**: Theoretical risk without exploit evidence ≠ confirmed vulnerability.
- **No happy-path-only**: Test error states, edge cases, race conditions, not just golden flow.

## References

- [Platform Reconnaissance](references/platform-recon.md) — Phase 1 recon commands per platform
- [Threat Modeling Guide](references/threat-modeling.md) — Phase 2 attack surface prioritization
- [Exploit Techniques](references/exploit-techniques.md) — Phase 4 PoC construction per vuln class
- [Report Template](references/report-template.md) — Phase 6 audit-grade report format
- [OWASP Mobile Top 10](references/owasp-mobile.md) — Mobile vulnerability detection
- [Compliance Mapping](references/compliance-mapping.md) — SOC 2, ISO 27001, PCI DSS mapping
- [Continuous Pentesting](references/continuous-pentest.md) — CI/CD integration and Delta testing

More from HoangNguyen0403/agent-skills-standard

SkillDescription
android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.