--- name: pentest-config-hardening description: Security header auditing, TLS configuration testing, HTTP method analysis, CSP bypass assessment, and deployment hardening verification. --- # Pentest Config Hardening ## Purpose Shannon checks only 2 of 14 WSTG-CONF items. The remaining 12 are "low-hanging fruit" findings expected in every professional pentest report — straightforward to test systematically. ## Prerequisites ### Authorization Requirements - **Written authorization** with infrastructure testing scope - **Target URL list** for all web-facing endpoints - **CDN/WAF awareness** — some headers may be set by infrastructure, not application ### Environment Setup - testssl.sh for comprehensive TLS analysis - nmap with ssl-enum-ciphers script - curl for manual header inspection - nuclei with misconfig templates ## Core Workflow 1. **HTTP Security Headers**: Audit HSTS (+ preload), CSP policy analysis, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, CORP/COEP/COOP (WSTG-CONF-07/14). 2. **TLS Configuration**: Protocol versions (TLS 1.0/1.1 deprecation), cipher suite strength, certificate validity, HSTS preload status, certificate transparency. 3. **HTTP Method Handling**: OPTIONS enumeration, PUT/DELETE on static resources, TRACE for XST, method override headers (WSTG-CONF-06). 4. **Infrastructure Exposure**: Admin interfaces (WSTG-CONF-05), default credentials on management consoles, exposed monitoring endpoints (/metrics, /health, /debug). 5. **Cloud Storage Misconfig**: Public S3 buckets, Azure blob containers, GCP storage referenced in app code or responses (WSTG-CONF-11). 6. **CSP Bypass Analysis**: unsafe-inline, unsafe-eval, overly broad source lists, JSONP on allowed domains, missing base-uri (WSTG-CONF-12). 7. **Cookie Security**: Secure flag, HttpOnly flag, SameSite attribute, cookie scope, session cookie entropy. ## WSTG Coverage | WSTG ID | Test Name | Status | |---------|-----------|--------| | WSTG-CONF-02 | Test Application Platform Configuration | ✅ | | WSTG-CONF-03 | Test File Extensions Handling | ✅ | | WSTG-CONF-04 | Review Old Backup and Unreferenced Files | ✅ | | WSTG-CONF-05 | Enumerate Infrastructure and Admin Interfaces | ✅ | | WSTG-CONF-06 | Test HTTP Methods | ✅ | | WSTG-CONF-07 | Test HTTP Strict Transport Security | ✅ | | WSTG-CONF-08 | Test RIA Cross Domain Policy | ✅ | | WSTG-CONF-09 | Test File Permission | ✅ | | WSTG-CONF-11 | Test Cloud Storage | ✅ | | WSTG-CONF-12 | Test Content Security Policy | ✅ | | WSTG-CONF-13 | Test for Subdomain Takeover | ✅ | | WSTG-CONF-14 | Test Security Headers | ✅ | ## Tool Categories | Category | Tools | Purpose | |----------|-------|---------| | TLS Testing | testssl.sh, nmap ssl-enum-ciphers | Protocol and cipher analysis | | Header Audit | SecurityHeaders.com API, Mozilla Observatory | Security header grading | | Method Testing | curl, nmap http-methods | HTTP method enumeration | | CSP Analysis | CSP Evaluator, custom scripts | CSP bypass assessment | | Cloud Storage | S3Scanner, cloud_enum | Public bucket detection | | Subdomain | subjack, can-i-take-over-xyz | Subdomain takeover detection | ## References - `references/tools.md` - Tool function signatures and parameters - `references/workflows.md` - Attack pattern definitions and test vectors