Penetration Testing Skill

Comprehensive penetration testing knowledge base with 46+ attack types, 264+ lab walkthroughs, and industry-standard methodologies.

Navigation

• attacks/ - All attack documentation organized by category (see structure below)

When to Use

• Authorized security assessments and penetration tests
• Vulnerability assessments (web apps, networks, systems)
• Bug bounty hunting and security research
• BSCP/OSCP/OSWE certification prep
• CTF competitions and challenges
• Professional security testing engagements

Attack Categories

Copyattacks/
├── injection/          # SQL, NoSQL, Command, SSTI, XXE, LDAP
├── client-side/        # XSS, CSRF, Clickjacking, CORS, DOM, Prototype Pollution (Playwright-based)
├── server-side/        # SSRF, HTTP Smuggling, File Upload, Path Traversal
├── authentication/     # Auth Bypass, OAuth, JWT, Password Attacks (Playwright workflows)
├── api-security/       # GraphQL, REST API, WebSockets, Web LLM
├── web-applications/   # Business Logic, Race Conditions, Access Control (Playwright testing)
├── network/            # Scanning, Sniffing, MITM, DNS, Wireless
├── system/             # Privilege Escalation, Exploit Development, Active Directory
├── cloud-containers/   # AWS, Azure, GCP, Kubernetes, Docker
└── essential-skills/   # Playwright Automation, Methodology, Reporting

Methodology

IMPORTANT: This skill uses a polymethodology combining industry frameworks:

• PTES - 7-phase lifecycle (pre-engagement → reporting)
• OWASP WSTG - 11 technical testing categories
• MITRE ATT&CK - Real-world adversary TTPs
• FHM - Scientific hypothesis-driven testing

Multi-Agent Parallel Testing

Deploy specialized agents in parallel for 6x faster testing:

• Injection agents (SQL, NoSQL, Command, SSTI, XXE)
• Client-side agents (XSS, CSRF, Clickjacking, CORS, DOM)
• Server-side agents (SSRF, HTTP Smuggling, File Upload)
• Authentication agents (Auth Bypass, OAuth, JWT)
• API security agents (GraphQL, REST, WebSockets)
• Business logic agents (Logic Flaws, Race Conditions)

7-Phase Testing Lifecycle

1. Pre-Engagement - Written authorization, scope, RoE
2. Intelligence Gathering - Passive/active recon, attack surface mapping
3. Threat Modeling - Prioritize targets, identify TTPs, create attack trees
4. Vulnerability Analysis - Automated scanning + manual OWASP WSTG testing
5. Exploitation - PoC exploits, test exploit chains, validate impact
6. Post-Exploitation - Privilege escalation, lateral movement, persistence
7. Reporting - Executive summary + technical findings with CVSS scores

Flaw Hypothesis Methodology

Apply scientific method to pentesting:

1. Information Gathering - Collect tech stack and architecture details
2. Hypothesis Generation - Predict vulnerabilities based on technologies
3. Experimentation - Test hypotheses with PoC exploits
4. Generalization - Test similar flaws in related components
5. Analysis - Correlate findings, identify exploit chains
6. Reporting - Document hypotheses, experiments, and results

Quick Start by Use Case

Beginners:

1. essential-skills/playwright-automation.md - Master browser automation fundamentals
2. client-side/xss/ - Learn XSS with Playwright walkthroughs (33 labs)
3. injection/sql-injection/ - Server-side vulnerabilities (18 labs)

Bug Bounty Hunters:

• High volume: client-side/xss/, web-applications/access-control/
• High severity: injection/sql-injection/, server-side/ssrf/, authentication/auth-bypass/
• Cutting edge: authentication/oauth/, api-security/graphql/, client-side/prototype-pollution/

BSCP Certification: Focus on injection/, client-side/, server-side/, and authentication/ categories using Playwright for browser-based testing (60-80 hours)

Professional Pentesters: Complete all attack categories with emphasis on methodology and reporting (80-120 hours)

Documentation Structure

Each attack type includes:

• Quickstart - Rapid exploitation guide
• Cheat sheet - Payload/command reference
• Lab walkthroughs - Step-by-step PortSwigger solutions
• Methodology - Structured testing approach
• Resources - Tools and references

Tools

Primary: Playwright MCP Server (see essential-skills/playwright-automation.md)

• Browser automation for comprehensive web application testing
• Client-side vulnerability testing (XSS, CSRF, DOM-based, Clickjacking)
• Multi-step exploitation workflows with step-by-step walkthroughs
• JavaScript execution and DOM manipulation
• Screenshot and video capture for evidence
• SPA and dynamic application testing
• Network traffic monitoring and console log capture

HTTP Testing: curl, Python requests, httpx (for server-side and API testing)

Specialized: sqlmap, tplmap, ysoserial, nmap, Metasploit, Hashcat, awscli, kubectl

Standards & Mappings

All documentation maps to OWASP Top 10, MITRE ATT&CK, CWE, CAPEC, and CVSS v3.1.

Coverage

46+ attack types | 264+ labs | 200+ CVE examples | Complete BSCP/OSCP/OSWE prep

Legal & Ethical

IMPORTANT: Only test authorized systems:

• ✅ PortSwigger Academy labs, HackTheBox, TryHackMe, bug bounty programs (in-scope), contracted pentests with RoE
• ❌ Never test without written authorization, exceed scope, cause damage, or skip responsible disclosure

Output Structure

Format: Vulnerability Testing (Findings + Evidence + Professional Reports)

See /.claude/OUTPUT_STANDARDS.md for complete specification.

When performing actual testing (not just learning):

• Generate findings.json with all vulnerabilities
• CRITICAL: Each vulnerability MUST have verified PoC script (poc.py)
• Test PoC and capture output (poc_output.txt) - vulnerabilities without working PoCs are NOT verified
• Document exploit workflow (workflow.md) and attack description (description.md)
• Capture evidence (screenshots, HTTP, videos)
• Create professional executive and technical reports
• Use standard CVSS, CWE, OWASP mappings

PoC Verification Requirements: Every vulnerability must have:

1. findings/finding-NNN/poc.py - Tested, working exploit script
2. findings/finding-NNN/poc_output.txt - Proof of successful execution
3. findings/finding-NNN/workflow.md - Step-by-step manual exploitation
4. findings/finding-NNN/description.md - Technical attack details
5. findings/finding-NNN/report.md - Complete vulnerability report

Vulnerabilities without verified PoCs are NOT considered confirmed and MUST NOT be reported.

Professional Report Requirements: Follow industry-standard penetration testing report format (PTES, OWASP, SANS):

Required deliverables:

1. Executive Report (1-2 pages) - For C-level executives and business stakeholders

   • Assessment overview, scope, methodology
   • Business impact analysis (financial, compliance, operational, reputational)
   • Findings summary with top 3-5 critical/high risks
   • Strategic recommendations with timeline

2. Technical Report (Comprehensive) - For security teams and technical staff

   • Detailed methodology and tools used
   • Complete findings with CVSS v3.1 scores
   • Technical details, PoC scripts, evidence
   • Remediation guidance with prioritization (P0: 0-7 days, P1: 7-30 days, etc.)
   • OWASP Top 10, CWE, and MITRE ATT&CK mappings

3. JSON Output - Machine-readable findings.json for automation and SIEM integration

Report template location: attacks/essential-skills/reporting/PROFESSIONAL_REPORT_STANDARD.md

See the professional report standard for complete templates, examples, and quality checklists.

Using This Skill

1. Review scope and authorization
2. Set up Playwright MCP server (essential-skills/playwright-automation.md)
3. Follow methodology (essential-skills/methodology/)
4. Navigate to relevant attack category in attacks/ directory
5. Use Playwright step-by-step walkthroughs for experiments
6. Document findings per OUTPUT_STANDARDS.md with Playwright evidence
7. Generate professional reports (essential-skills/reporting/PROFESSIONAL_REPORT_STANDARD.md)

For detailed attack documentation, explore the attacks/ directory structure organized by category.