Claude
Skills
Sign in
Back

pentest-report

Included with Lifetime
$97 forever

Generates a structured penetration testing report based on OWASP standards including OWASP Top 10, ASVS, and WSTG methodology. Scans code for vulnerabilities, maps findings to OWASP categories, assigns CVSS scores, and produces a professional pentest report. Use when the user says "pentest report", "penetration testing", "OWASP audit", "OWASP report", "security assessment", "vulnerability assessment", "application security test", or "OWASP compliance check".

Security

What this skill does


# Penetration Testing Report Skill

When generating a penetration testing report, follow OWASP standards and methodology. This skill produces a professional-grade report suitable for compliance reviews, stakeholder communication, and remediation planning.

## 1. Scope & Methodology Discovery

### Determine Scope
```bash
# Application type
cat package.json pyproject.toml Cargo.toml go.mod pom.xml composer.json Gemfile 2>/dev/null | head -30

# Detect web framework (determines attack surface)
cat package.json 2>/dev/null | grep -E "express|fastify|next|nuxt|nest|koa|hapi|django|flask|fastapi|rails|laravel|spring|gin|fiber|echo"

# Detect API type
grep -rn "app.get\|app.post\|@app.route\|@GetMapping\|router\." --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null | head -20

# Detect authentication mechanism
grep -rn "jwt\|passport\|oauth\|session\|cookie\|bearer\|auth" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null | head -20

# Detect database
grep -rn "postgres\|mysql\|mongo\|redis\|sqlite\|prisma\|sequelize\|typeorm\|mongoose\|sqlalchemy\|knex\|drizzle" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null | head -10

# Detect frontend
cat package.json 2>/dev/null | grep -E "react|vue|angular|svelte|next|nuxt"

# Map API endpoints (attack surface)
grep -rn "router\.\(get\|post\|put\|delete\|patch\)\|app\.\(get\|post\|put\|delete\|patch\)\|@app\.route\|@GetMapping\|@PostMapping\|@PutMapping\|@DeleteMapping" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null

# Count total endpoints
grep -rn "router\.\(get\|post\|put\|delete\|patch\)\|app\.\(get\|post\|put\|delete\|patch\)" --include="*.ts" --include="*.js" --include="*.py" src/ app/ 2>/dev/null | wc -l

# Infrastructure
ls Dockerfile docker-compose.yml docker-compose.yaml k8s/ terraform/ nginx.conf 2>/dev/null
```

### Testing Methodology

This report follows:

- **OWASP Web Security Testing Guide (WSTG) v4.2** — structured testing methodology
- **OWASP Top 10 (2021)** — most critical web application security risks
- **OWASP Application Security Verification Standard (ASVS) v4.0** — detailed security requirements
- **CVSS v3.1** — Common Vulnerability Scoring System for severity rating

## 2. OWASP Top 10 (2021) Assessment

Test each category systematically:

### A01:2021 — Broken Access Control

**WSTG Tests:**
- WSTG-ATHZ-01: Testing Directory Traversal/File Include
- WSTG-ATHZ-02: Testing for Bypassing Authorization Schema
- WSTG-ATHZ-03: Testing for Privilege Escalation
- WSTG-ATHZ-04: Testing for Insecure Direct Object References (IDOR)
```bash
# Check for missing authorization middleware
grep -rn "router\.\(get\|post\|put\|delete\|patch\)" --include="*.ts" --include="*.js" src/api/ src/routes/ 2>/dev/null | grep -v "auth\|middleware\|protect\|guard\|verify"

# Check for IDOR vulnerabilities — direct ID usage without ownership check
grep -rn "req\.params\.id\|req\.params\.userId\|request\.args\.get.*id" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null

# Check for path traversal
grep -rn "req\.params\|req\.query\|request\.args" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -i "file\|path\|dir\|upload\|download"

# Check for missing role-based access control
grep -rn "role\|permission\|isAdmin\|hasRole\|authorize\|can(" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null

# Check for CORS misconfiguration
grep -rn "Access-Control-Allow-Origin\|cors(" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null

# Check for missing CSRF protection
grep -rn "csrf\|csrfToken\|_token\|antiforgery" --include="*.ts" --include="*.js" --include="*.py" --include="*.html" src/ 2>/dev/null
```

**What to flag:**
- Endpoints accessible without authentication
- Missing ownership verification on resource access (IDOR)
- Horizontal privilege escalation (user A accessing user B's data)
- Vertical privilege escalation (regular user accessing admin functions)
- CORS with wildcard origin on authenticated endpoints
- Missing CSRF tokens on state-changing operations
- Directory traversal in file operations
- Missing rate limiting on sensitive endpoints

### A02:2021 — Cryptographic Failures

**WSTG Tests:**
- WSTG-CRYP-01: Testing for Weak Transport Layer Security
- WSTG-CRYP-02: Testing for Padding Oracle
- WSTG-CRYP-03: Testing for Sensitive Information via Unencrypted Channels
- WSTG-CRYP-04: Testing for Weak Encryption
```bash
# Check for weak hashing algorithms
grep -rn "md5\|sha1\|SHA1\|MD5" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null | grep -v "node_modules\|test\|spec"

# Check for weak encryption
grep -rn "DES\|RC4\|ECB\|Blowfish" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null

# Check for hardcoded encryption keys
grep -rn "encryption_key\|ENCRYPTION_KEY\|secret_key\|SECRET_KEY\|private_key" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -v "process\.env\|os\.environ\|config\.\|\.env"

# Check for insecure random
grep -rn "Math\.random\|random\.random\|rand()\|srand" --include="*.ts" --include="*.js" --include="*.py" --include="*.php" src/ 2>/dev/null

# Check password hashing
grep -rn "bcrypt\|argon2\|scrypt\|pbkdf2" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null

# Check for sensitive data in plain text
grep -rn "password.*=\|creditCard\|ssn\|social_security\|credit_card" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -v "test\|spec\|mock\|hash\|bcrypt"

# Check TLS configuration
grep -rn "http://\|ssl.*false\|verify.*false\|rejectUnauthorized.*false\|VERIFY_NONE" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null
```

**What to flag:**
- Passwords stored with MD5/SHA1 instead of bcrypt/argon2
- Sensitive data transmitted over HTTP
- Hardcoded encryption keys or secrets
- Weak TLS configuration
- Math.random() for security-sensitive values
- Sensitive data stored unencrypted at rest
- Missing HSTS headers

### A03:2021 — Injection

**WSTG Tests:**
- WSTG-INPV-05: Testing for SQL Injection
- WSTG-INPV-06: Testing for LDAP Injection
- WSTG-INPV-07: Testing for XML Injection
- WSTG-INPV-12: Testing for Command Injection
- WSTG-INPV-11: Testing for Code Injection
```bash
# SQL Injection — string concatenation in queries
grep -rn "SELECT.*\+\|INSERT.*\+\|UPDATE.*\+\|DELETE.*\+\|WHERE.*\+\|\`SELECT\|\`INSERT\|\`UPDATE\|\`DELETE" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" --include="*.php" src/ 2>/dev/null | grep -v "test\|spec\|mock"

# SQL Injection — template literals in queries
grep -rn "query.*\${\|execute.*\${" --include="*.ts" --include="*.js" src/ 2>/dev/null

# NoSQL Injection
grep -rn "find(\|findOne(\|updateOne(\|deleteOne(" --include="*.ts" --include="*.js" src/ 2>/dev/null | grep "req\.\|request\."

# Command Injection
grep -rn "exec(\|execSync\|spawn(\|system(\|popen\|subprocess\.\(call\|run\|Popen\)" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null

# XSS — innerHTML and dangerouslySetInnerHTML
grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html\|\.html(\|{!!.*!!}" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" --include="*.vue" --include="*.php" src/ 2>/dev/null

# Template Injection
grep -rn "render_template_string\|Template(\|Jinja2\|eval(" --include="*.py" --include="*.js" --include="*.ts" src/ 2>/dev/null

# LDAP Injection
grep -rn "ldap\.\|LDAP\.\|search_s\|search_ext" --include="*.py" --include="*.java" src/ 2>/dev/null

# XPath Injection
grep -rn "xpath\|XPath\|selectNodes\|evaluate(" --include="*.ts" --include="*.js" --include="*.java" src/ 2>/dev/null
```

**What to flag:**
- String concatenation or template literals in SQL queries
- User input passed directly to MongoDB queries
- User input in
Files: 1
Size: 31.3 KB
Complexity: 42/100
Category: Security
Source: https://github.com/aakash-dhar/claude-skills/tree/main/skills/TPM & Project Management Skills/pentest-report

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97