AgentSkillsCN

Penetration Testing

渗透测试

SKILL.md

Penetration Testing

Skill Purpose: Plan and execute authorized penetration testing to identify exploitable security weaknesses.


Core Skill Pattern

Objective: Validate security posture through controlled, authorized testing.

Universal Pattern:

  1. Confirm legal authorization and scope
  2. Identify assets and attack surface
  3. Perform recon and threat modeling
  4. Execute tests aligned to OWASP
  5. Document findings with severity and remediation

Key Decisions (Project-Specific):

  • Testing in staging vs production
  • Tooling and manual testing balance
  • Severity scoring model
  • Disclosure and remediation workflow

Project-Specific Implementation Notes

Customize per project:

  • Define explicit in-scope systems and accounts
  • Use test credentials only
  • Coordinate with incident response team

Example Test Areas

  • Authentication and session management
  • Authorization and RLS bypass attempts
  • Injection (SQL/NoSQL), XSS, CSRF
  • File upload validation
  • Secrets exposure and misconfigurations

Best Practices

  1. Obtain written authorization before testing
  2. Test in staging first whenever possible
  3. Keep detailed evidence for each finding
  4. Provide clear remediation steps
  5. Retest to confirm fixes

Stop Conditions

STOP and escalate if:

  • Authorization is unclear or missing
  • Scope is not defined
  • Testing could impact production stability

Skill Version: 1.0.0