---
name: pentest-client-advanced
description: Advanced client-side attacks — CORS misconfiguration, WebSocket security, clickjacking, postMessage abuse, CSS injection, and browser storage vulnerabilities.
---

# Pentest Client Advanced

## Purpose
Test advanced client-side attack surfaces beyond XSS. Six WSTG-CLNT items remain unchecked in Shannon's pipeline — these are distinct attack classes requiring different methodology than taint analysis.

## Prerequisites

### Authorization Requirements
- **Written authorization** with client-side testing scope
- **Test domains** for hosting PoC HTML pages (attacker-controlled origin)
- **Browser testing environment** with DevTools access
- **Target user simulation** — ability to test cross-origin interactions

### Environment Setup
- Modern browser with DevTools (Chrome/Firefox)
- Burp Suite for intercepting WebSocket and cross-origin traffic
- Local HTTP server for hosting PoC pages (python -m http.server)
- Playwright for automated browser-based attack verification

## Core Workflow
1. **CORS Misconfiguration**: Test reflected Origin in ACAO header, null origin bypass, subdomain wildcard abuse, credential leakage via cross-origin requests (WSTG-CLNT-07).
2. **WebSocket Security**: Missing auth on WS upgrade, CSWSH (Cross-Site WebSocket Hijacking), injection through WS messages, missing origin validation (WSTG-CLNT-10).
3. **Clickjacking**: Missing X-Frame-Options / CSP frame-ancestors, UI redressing, drag-and-drop hijacking, multi-step clickjacking chains (WSTG-CLNT-09).
4. **postMessage Abuse**: Missing origin validation in message handlers, DOM manipulation via cross-origin messages, prototype pollution through postMessage (WSTG-CLNT-11).
5. **CSS Injection**: Data exfiltration via CSS attribute selectors + background-image, CSS-based keylogging, style injection for UI manipulation (WSTG-CLNT-05).
6. **Client-Side Storage**: Sensitive data in localStorage/sessionStorage, IndexedDB exposure, service worker cache poisoning (WSTG-CLNT-06).
7. **PoC Construction**: Build HTML pages demonstrating each attack with real impact.

## WSTG Coverage

| WSTG ID | Test Name | Status |
|---------|-----------|--------|
| WSTG-CLNT-05 | CSS Injection | ✅ |
| WSTG-CLNT-06 | Client-Side Resource Manipulation | ✅ |
| WSTG-CLNT-07 | Cross-Origin Resource Sharing | ✅ |
| WSTG-CLNT-09 | Clickjacking | ✅ |
| WSTG-CLNT-10 | WebSocket Testing | ✅ |
| WSTG-CLNT-11 | Web Messaging | ✅ |

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| CORS Testing | CORScanner, curl, custom PoC pages | CORS misconfiguration detection |
| WebSocket | websocket-client (Python), Burp WS | WebSocket hijacking and injection |
| Clickjacking | custom HTML iframes, Playwright | UI redressing PoC construction |
| Browser Automation | Playwright, Puppeteer | Automated client-side attack verification |
| Storage Analysis | Browser DevTools, custom JS | localStorage/IndexedDB inspection |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors