common-pentest-methodology
$
npx mdskill add HoangNguyen0403/agent-skills-standard/common-pentest-methodology- **No Exploit = No Report**: Every finding requires reproducible Proof-of-Concept. Hypotheses without PoC are discarded. - **No Production Testing**: All dynamic probes target local/staging only. Confirm authorization before Phase 1. - **No Single-Platform Bias**: Assess backend, frontend, AND mobile surfaces when in-scope.
SKILL.md
.github/skills/common-pentest-methodologyView on GitHub ↗
---
name: common-pentest-methodology
description: PTES-aligned penetration testing methodology for backend, frontend, and mobile. Provides attack taxonomy, exploit techniques per vulnerability class, and platform-specific test matrices. Use when executing pentest workflow, planning security assessments, mapping attack surfaces, or building threat models.
metadata:
triggers:
keywords:
- pentest
- penetration test
- red team
- attack surface
- threat model
- PTES
- security assessment
- exploit
- hacker score
---
# Penetration Testing Methodology (PTES-Aligned)
## **Priority: P0 (CRITICAL)**
## Always-Apply Rules
- **No Exploit = No Report**: Every finding requires reproducible Proof-of-Concept. Hypotheses without PoC are discarded.
- **No Production Testing**: All dynamic probes target local/staging only. Confirm authorization before Phase 1.
- **No Single-Platform Bias**: Assess backend, frontend, AND mobile surfaces when in-scope.
## Workflow
Load alongside `/pentest` workflow. Provides methodology backbone for all 7 phases.
1. **Scope** → Define test mode (whitebox/greybox/blackbox), platforms, exclusions.
2. **Recon** → Build asset inventory per platform. See [platform-recon](references/platform-recon.md).
3. **Threat Model** → Rank endpoints by risk. See [threat-modeling](references/threat-modeling.md).
4. **Analyze** → Run vulnerability matrix across all domains. Load `common-owasp`, `common-security-audit`, `common-dast-tooling`.
5. **Exploit** → Validate each finding with PoC. See [exploit-techniques](references/exploit-techniques.md).
6. **Post-Exploit** → Assess blast radius, lateral movement, privilege escalation.
7. **Report** → Audit-grade output with CVSS scoring. See [report-template](references/report-template.md) and [compliance-mapping](references/compliance-mapping.md).
## Platform Coverage Matrix
| Domain | Backend/API | Frontend/Web | Mobile (iOS/Android) |
|---|---|---|---|
| Injection | SQLi, CMDi, NoSQLi, LDAPi | Template injection, DOM sinks | Content provider SQLi, Intent injection |
| XSS | Response encoding | DOM XSS, `innerHTML`, framework bypasses | WebView `loadUrl`, JavaScript bridges |
| Auth | JWT, OAuth, Session, MFA | Token storage, session management | Keychain/Keystore, biometric bypass |
| AuthZ | BOLA/IDOR, BFLA, Mass Assignment | Client-side role gates | Local permission checks without server |
| SSRF | HTTP client + user URL | SSR with user-supplied URL | Custom scheme fetching arbitrary URLs |
| Business Logic | Race conditions, workflow bypass | Client-only validation, price tamper | IAP bypass, receipt validation skip |
| Crypto | Weak hash, missing TLS | HTTP calls, weak CSP | Missing cert pin, cleartext traffic |
| Config | CORS, debug mode, headers | Source maps, debug flags in prod | `debuggable=true`, ATS exceptions |
| Deps/SCA | `npm audit`, `pip-audit`, `cargo audit` | Bundle vuln analysis | `pod audit`, Gradle dependency scan |
| Secrets | Entropy + regex + liveness | Secrets in JS bundles | Keys in BuildConfig/Info.plist |
| LLM/AI | Prompt injection, excessive agency | Output to DOM sinks | Agent tools without confirmation |
## Continuous & Compliance Execution
- **Continuous Testing**: Execute Delta scans on PRs or Replay regression PoCs. See [continuous-pentest](references/continuous-pentest.md).
- **Compliance Mapping**: Map findings to SOC 2, ISO 27001, PCI DSS, or OWASP MASVS. See [compliance-mapping](references/compliance-mapping.md).
## Anti-Patterns
- **No "scan and dump"**: Raw tool output not a pentest. Correlate findings across SAST + DAST + manual.
- **No severity inflation**: Theoretical risk without exploit evidence ≠ confirmed vulnerability.
- **No happy-path-only**: Test error states, edge cases, race conditions, not just golden flow.
## References
- [Platform Reconnaissance](references/platform-recon.md) — Phase 1 recon commands per platform
- [Threat Modeling Guide](references/threat-modeling.md) — Phase 2 attack surface prioritization
- [Exploit Techniques](references/exploit-techniques.md) — Phase 4 PoC construction per vuln class
- [Report Template](references/report-template.md) — Phase 6 audit-grade report format
- [OWASP Mobile Top 10](references/owasp-mobile.md) — Mobile vulnerability detection
- [Compliance Mapping](references/compliance-mapping.md) — SOC 2, ISO 27001, PCI DSS mapping
- [Continuous Pentesting](references/continuous-pentest.md) — CI/CD integration and Delta testing
More from HoangNguyen0403/agent-skills-standard
- android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
- android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
- android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
- android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
- android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
- android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
- android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
- android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
- android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
- android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.