---
name: "Penetration Testing Checklist"
description: "Systematic web application penetration testing methodology. Apply when performing authorized security assessments, bug bounty hunting, or pre-deployment security validation. Covers recon, scanning, exploitation, and reporting."
allowed-tools: Read, Write, Edit, Bash, Grep, Glob
version: 2.1.0
compatibility: Claude Opus 4.6, Sonnet 4.6, Claude Code v2.1.x
updated: 2026-03-26
---
# Penetration Testing Checklist
Systematic methodology for authorized web application security testing.
**IMPORTANT:** Only use this skill for authorized security testing — pentesting engagements, bug bounty programs, CTF challenges, or testing your own applications.
## Overview
This skill provides a structured pentest workflow:
1. **Reconnaissance** — Gather information about the target
2. **Scanning** — Identify attack surface and vulnerabilities
3. **Exploitation** — Validate vulnerabilities (with permission)
4. **Post-Exploitation** — Assess impact and lateral movement
5. **Reporting** — Document findings with remediation guidance
## Phase 1: Reconnaissance
### Passive Recon (No direct interaction with target)
```bash
# DNS enumeration
dig +short target.com
dig +short -t MX target.com
dig +short -t TXT target.com
# Subdomain discovery
# Use tools like subfinder, amass, or online services
# Technology fingerprinting (check HTTP headers)
curl -sI https://target.com | grep -iE "(server|x-powered|x-frame|content-security)"
# Check robots.txt and sitemap
curl -s https://target.com/robots.txt
curl -s https://target.com/sitemap.xml
```
### Active Recon (Direct interaction)
```bash
# Port scanning (with authorization)
nmap -sV -sC -oN scan_results.txt target.com
# Web technology detection
# Check response headers, JavaScript libraries, CSS frameworks
# Directory enumeration (with authorization)
# Use wordlists to discover hidden paths and files
```
## Phase 2: Vulnerability Scanning
### Authentication Testing
```markdown
## Auth Checklist
- [ ] Test default credentials (admin/admin, admin/password)
- [ ] Test account enumeration via login error messages
- [ ] Test password reset flow for information disclosure
- [ ] Test session fixation
- [ ] Test session timeout and invalidation on logout
- [ ] Test remember-me functionality
- [ ] Test brute force protections
- [ ] Test MFA bypass techniques
- [ ] Test OAuth/OIDC implementation (state, nonce, redirect_uri)
```
### Input Validation Testing
```markdown
## Injection Checklist
- [ ] SQL injection: ' OR 1=1 --, UNION SELECT, blind timing
- [ ] XSS: , event handlers, SVG payloads
- [ ] Command injection: ; id, | whoami, $(command)
- [ ] Template injection: {{7*7}}, ${7*7}, #{7*7}
- [ ] Path traversal: ../../../etc/passwd, ....//....//
- [ ] LDAP injection: )(cn=*), *()|(&)
- [ ] XML injection: XXE payloads if XML parsing exists
- [ ] Header injection: CRLF in headers (%0d%0a)
```
### Access Control Testing
```markdown
## Authorization Checklist
- [ ] IDOR: Change resource IDs to access other users' data
- [ ] Forced browsing: Access admin paths as regular user
- [ ] HTTP method tampering: Try PUT/DELETE on read-only endpoints
- [ ] Parameter manipulation: Modify price, role, quantity parameters
- [ ] JWT testing: Algorithm confusion, expired token reuse, claim tampering
- [ ] API key scope: Test keys against endpoints beyond their scope
- [ ] CORS misconfiguration: Test with different Origin headers
```
### Business Logic Testing
```markdown
## Logic Checklist
- [ ] Price manipulation: Modify prices in client-side requests
- [ ] Quantity manipulation: Negative quantities, zero prices
- [ ] Race conditions: Concurrent requests for one-time operations
- [ ] Workflow bypass: Skip steps in multi-step processes
- [ ] Rate limit bypass: Header rotation, IP rotation
- [ ] Feature abuse: Use features in unintended combinations
```
## Phase 3: Common Vulnerability Tests
### XSS Testing Payloads
```
# Basic reflected XSS
