---
name: pentest-methodology
description: Ethical security testing methodology - 5-phase pipeline, OWASP checklist, proof levels, structured findings
---

# Pentest Methodology

Etik guvenlik testi metodolojisi. Shannon framework'unden adapte.

**ONEMLI**: Bu skill sadece YETKILI guvenlik testleri icin kullanilir. Bug bounty, pentest anlasmasi, veya kendi sisteminiz olmali.

## 5-Faz Pipeline

```
Phase 1: Recon ──▶ Phase 2: Vuln Analysis ──▶ Phase 3: Exploitation
                                                        │
Phase 5: Report ◀── Phase 4: Verification ◀────────────┘
```

### Phase 1: Reconnaissance (Kesfetme)

| Adim | Arac/Yontem | Cikti |
|------|-------------|-------|
| Subdomain enum | DNS brute, certificate transparency | Subdomain listesi |
| Port scan | nmap, masscan | Acik portlar |
| Tech stack | Wappalyzer, HTTP headers | Teknoloji listesi |
| Directory enum | ffuf, gobuster | Endpoint listesi |
| API discovery | Swagger/OpenAPI, sitemap | API endpoint'leri |
| Source review | JS dosyalari, comments | Hardcoded info |

### Phase 2: Vulnerability Analysis

OWASP Top 10 kontrol matrisi:

| # | Vuln | Test Yontemi |
|---|------|-------------|
| A01 | Broken Access Control | IDOR, privilege escalation, path traversal |
| A02 | Cryptographic Failures | SSL config, weak ciphers, plaintext storage |
| A03 | Injection | SQLi, XSS, command injection, template injection |
| A04 | Insecure Design | Business logic flaws, race conditions |
| A05 | Security Misconfiguration | Default creds, verbose errors, CORS |
| A06 | Vulnerable Components | CVE scan, outdated dependencies |
| A07 | Auth Failures | Brute force, session fixation, JWT attacks |
| A08 | Data Integrity | Deserialization, CI/CD pipeline attacks |
| A09 | Logging Failures | Log injection, insufficient audit trail |
| A10 | SSRF | Internal service access, cloud metadata |

### Phase 3: Exploitation (Dogrulama)

Her bulgu icin:
1. **Reproduce**: Tekrarlanabilir adimlar yaz
2. **Proof**: Etkiyi goster (ekran goruntusu, response)
3. **Impact**: Gercek etki ne? (Data leak, RCE, account takeover)
4. **Scope**: Etki alani ne kadar genis?

### Phase 4: Verification

Bulgunun gercek oldugunu dogrula:
- False positive degil mi? Farkli kosullarda tekrarla
- Scope dogru mu? Sadece bir endpoint mi, yoksa sistemik mi?
- Severity dogru mu? Etkiyi abartma, kucumseme

### Phase 5: Report

Yapilandirilmis bulgu formati (asagida)

## Proof Levels

| Level | Tanim | Ornek |
|-------|-------|-------|
| L1 - Theoretical | Potansiyel risk, exploit edilmemis | "Bu endpoint input validate etmiyor" |
| L2 - Demonstrated | Bypass/leak gosterildi | "SQL injection ile hata mesaji leak etti" |
| L3 - Exploited | Tam exploit, veri erisimi | "Admin panel'e yetkisiz erisim saglandi" |
| L4 - Chained | Birden fazla vuln zincirlendi | "XSS + CSRF = Account takeover" |

## Structured Finding Format

```markdown
## [SEVERITY] Finding Title

**ID**: FINDING-001
**Severity**: Critical / High / Medium / Low / Informational
**Proof Level**: L1 / L2 / L3 / L4
**CVSS**: X.X (hesapla: cvss.org)
**CWE**: CWE-XXX

### Description
Ne bulundu, tek paragraf.

### Impact
Exploit edilirse ne olur?

### Steps to Reproduce
1. [Adim 1]
2. [Adim 2]
3. [Adim 3]

### Proof
[Screenshot, HTTP request/response, veya kod]

### Remediation
Nasil duzeltilir?

### References
- [OWASP link]
- [CWE link]
```

## Source-to-Sink Taint Tracing

Kullanici input'unun tehlikeli bir fonksiyona ulasip ulasamadigini kontrol et:

```
Source (Input)        ──▶  Transform/Sanitize?  ──▶  Sink (Tehlikeli fonksiyon)
req.body.username     ──▶  Validation var mi?    ──▶  db.query(...)
req.query.redirect    ──▶  URL whitelist var mi?  ──▶  res.redirect(...)
req.headers.host      ──▶  Sanitize var mi?      ──▶  fetch(...)
```

**Source'lar**: req.body, req.query, req.params, req.headers, cookies, file uploads
**Sink'ler**: SQL query, eval(), exec(), redirect(), innerHTML, dangerouslySetInnerHTML

## Agent Entegrasyonu

- **security-analyst**: Bu pipeline'i kullanarak tam guvenlik auditi yapar
- **security-reviewer**: Code review sirasinda vuln pattern'lerini kontrol eder
- **code-reviewer**: Security-relevant code degisikliklerinde flag kaldirir

## Kurallar

- Yetki olmadan test YAPMA
- Rate limiting'e uy, sistemi cokertme
- Buldugun seyi raporla, exploit etme (beyond PoC)
- Hassas verileri rapordan cikar (maskeleme)
- Remediation onerisi ZORUNLU