common-pentest-methodology
PTES-aligned penetration testing methodology for backend, frontend, and mobile. Provides attack taxonomy, exploit techniques per vulnerability class, and platform-specific test matrices. Use when executing pentest workflow, planning security assessments, mapping attack surfaces, or building threat models.
What this skill does
# Penetration Testing Methodology (PTES-Aligned) ## **Priority: P0 (CRITICAL)** ## Always-Apply Rules - **No Exploit = No Report**: Every finding requires reproducible Proof-of-Concept. Hypotheses without PoC are discarded. - **No Production Testing**: All dynamic probes target local/staging only. Confirm authorization before Phase 1. - **No Single-Platform Bias**: Assess backend, frontend, AND mobile surfaces when in-scope. ## Workflow Load alongside `/pentest` workflow. Provides methodology backbone for all 7 phases. 1. **Scope** → Define test mode (whitebox/greybox/blackbox), platforms, exclusions. 2. **Recon** → Build asset inventory per platform. See [platform-recon](references/platform-recon.md). 3. **Threat Model** → Rank endpoints by risk. See [threat-modeling](references/threat-modeling.md). 4. **Analyze** → Run vulnerability matrix across all domains. Load `common-owasp`, `common-security-audit`, `common-dast-tooling`. 5. **Exploit** → Validate each finding with PoC. See [exploit-techniques](references/exploit-techniques.md). 6. **Post-Exploit** → Assess blast radius, lateral movement, privilege escalation. 7. **Report** → Audit-grade output with CVSS scoring. See [report-template](references/report-template.md) and [compliance-mapping](references/compliance-mapping.md). ## Platform Coverage Matrix | Domain | Backend/API | Frontend/Web | Mobile (iOS/Android) | |---|---|---|---| | Injection | SQLi, CMDi, NoSQLi, LDAPi | Template injection, DOM sinks | Content provider SQLi, Intent injection | | XSS | Response encoding | DOM XSS, `innerHTML`, framework bypasses | WebView `loadUrl`, JavaScript bridges | | Auth | JWT, OAuth, Session, MFA | Token storage, session management | Keychain/Keystore, biometric bypass | | AuthZ | BOLA/IDOR, BFLA, Mass Assignment | Client-side role gates | Local permission checks without server | | SSRF | HTTP client + user URL | SSR with user-supplied URL | Custom scheme fetching arbitrary URLs | | Business Logic | Race conditions, workflow bypass | Client-only validation, price tamper | IAP bypass, receipt validation skip | | Crypto | Weak hash, missing TLS | HTTP calls, weak CSP | Missing cert pin, cleartext traffic | | Config | CORS, debug mode, headers | Source maps, debug flags in prod | `debuggable=true`, ATS exceptions | | Deps/SCA | `npm audit`, `pip-audit`, `cargo audit` | Bundle vuln analysis | `pod audit`, Gradle dependency scan | | Secrets | Entropy + regex + liveness | Secrets in JS bundles | Keys in BuildConfig/Info.plist | | LLM/AI | Prompt injection, excessive agency | Output to DOM sinks | Agent tools without confirmation | ## Continuous & Compliance Execution - **Continuous Testing**: Execute Delta scans on PRs or Replay regression PoCs. See [continuous-pentest](references/continuous-pentest.md). - **Compliance Mapping**: Map findings to SOC 2, ISO 27001, PCI DSS, or OWASP MASVS. See [compliance-mapping](references/compliance-mapping.md). ## Anti-Patterns - **No "scan and dump"**: Raw tool output not a pentest. Correlate findings across SAST + DAST + manual. - **No severity inflation**: Theoretical risk without exploit evidence ≠ confirmed vulnerability. - **No happy-path-only**: Test error states, edge cases, race conditions, not just golden flow. ## References - [Platform Reconnaissance](references/platform-recon.md) — Phase 1 recon commands per platform - [Threat Modeling Guide](references/threat-modeling.md) — Phase 2 attack surface prioritization - [Exploit Techniques](references/exploit-techniques.md) — Phase 4 PoC construction per vuln class - [Report Template](references/report-template.md) — Phase 6 audit-grade report format - [OWASP Mobile Top 10](references/owasp-mobile.md) — Mobile vulnerability detection - [Compliance Mapping](references/compliance-mapping.md) — SOC 2, ISO 27001, PCI DSS mapping - [Continuous Pentesting](references/continuous-pentest.md) — CI/CD integration and Delta testing
Related in Web Dev
generating-lwc-components
IncludedLightning Web Components with PICKLES methodology and 165-point scoring. Use this skill when the user creates or edits LWC components, builds wire service patterns, or writes Jest tests for LWC. TRIGGER when: user creates/edits LWC components, touches lwc/**/*.js, .html, .css, .js-meta.xml files, or asks about wire service, SLDS, or Jest LWC tests. DO NOT TRIGGER when: Apex classes (use generating-apex), Aura components, or Visualforce.
tanstack-query
IncludedManage server state in React with TanStack Query v5. Set up queries with useQuery, mutations with useMutation, configure QueryClient caching strategies, implement optimistic updates, and handle infinite scroll with useInfiniteQuery. Use when: setting up data fetching in React projects, migrating from v4 to v5, or fixing object syntax required errors, query callbacks removed issues, cacheTime renamed to gcTime, isPending vs isLoading confusion, keepPreviousData removed problems.
document-processor-api
IncludedProcess documents with Nutrient DWS. Use when the user wants to generate PDFs from HTML or URLs, convert Office/images/PDFs, assemble or split packets, OCR scans, extract text/tables/key-value pairs, redact PII, watermark, sign, fill forms, optimize PDFs, or produce compliance outputs like PDF/A or PDF/UA. Triggers include convert to PDF, merge these PDFs, OCR this scan, extract tables, redact PII, sign this PDF, make this PDF/A, or linearize for web delivery.
nutrient-document-processing
IncludedProcess documents with Nutrient DWS. Use when the user wants to generate PDFs from HTML or URLs, convert Office/images/PDFs, assemble or split packets, OCR scans, extract text/tables/key-value pairs, redact PII, watermark, sign, fill forms, optimize PDFs, or produce compliance outputs like PDF/A or PDF/UA. Triggers include convert to PDF, merge these PDFs, OCR this scan, extract tables, redact PII, sign this PDF, make this PDF/A, or linearize for web delivery.
tanstack-query
IncludedManage server state in React with TanStack Query v5. Covers useMutationState, simplified optimistic updates, throwOnError, network mode (offline/PWA), and infiniteQueryOptions. Use when setting up data fetching, fixing v4→v5 migration errors (object syntax, gcTime, isPending, keepPreviousData), or debugging SSR/hydration issues with streaming server components.
accelint-nextjs-best-practices
IncludedNext.js performance optimization and best practices. Use when writing Next.js code (App Router or Pages Router); implementing Server Components, Server Actions, or API routes; optimizing RSC serialization, data fetching, or server-side rendering; reviewing Next.js code for performance issues; fixing authentication in Server Actions; or implementing Suspense boundaries, parallel data fetching, or request deduplication.