--- name: pentest-web description: Web application security testing methodology — OWASP Top 10, SSRF, IDOR, auth bypass, injection sinifi advisory. Burp/ZAP cikti analizi. Triggers on web pentest, OWASP, SQL injection, XSS, SSRF, IDOR, auth bypass, Burp output, ZAP, parameter pollution, request smuggling. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents web-hunter (advisory tarafi) --- # pentest-web Web app saldiri yuzeyi advisory + Burp/ZAP cikti analizi + OWASP Top 10 methodology. Live exploit composer'lama scope deklare ile yapilir; otomatik exploit calistirma yok. ## Triggers - "OWASP Top 10 test" - "Burp ciktisi inceleyin" - "SQL injection bulduk mu" - "XSS testi yapalim" - "SSRF / IDOR / auth bypass arar misin" - "request smuggling" ## OWASP Top 10 Kontrol Listesi | # | Kategori | Test Yaklasimi | |---|----------|---------------| | A01 | Broken Access Control | Yatay/dikey IDOR, force browse, JWT manipulation | | A02 | Cryptographic Failures | TLS config, parola hash, sensitive data unencrypted | | A03 | Injection | SQLi (in-band, blind, OOB), NoSQL, OS command, XPath | | A04 | Insecure Design | Rate limit eksik, business logic flaw | | A05 | Security Misconfig | Default cred, verbose error, exposed admin panel | | A06 | Vulnerable Components | Dependency CVE, framework version | | A07 | Auth Failures | Brute force, password reset, session fix | | A08 | Software/Data Integrity | Unsigned update, deserialization | | A09 | Logging Failures | Bypass detection, audit gap | | A10 | SSRF | Internal port reach, cloud metadata steal | ## Burp/ZAP Cikti Analizi Kullanici Burp Pro/CE veya ZAP report yapistirirsa: ```markdown ## Burp Active Scan — analiz ### True Positive - High: SQL Injection in /api/users?id= (Time-based, MySQL) - Payload: `1' AND SLEEP(5)-- -` - Etki: Tam DB okuma + potential RCE (FILE priv varsa) - Medium: Reflected XSS in /search?q= (no CSP) ### False Positive (elenir) - Info: Server header reveals nginx — bilgi sizintisi degil, fix oncelik dusuk - Low: Cookie missing HttpOnly — only-server cookie, JS erisimi yok ### Onerilen Manuel Test - IDOR check /api/users/{id} — auth bypass denemesi - Race condition /api/purchase (5 paralel istek) - JWT alg=none + alg=HS256 ile RSA key swap ``` ## Yaygin Methodology Akisi ``` 1. Recon: subfinder + httpx + wappalyzer 2. Crawl: ffuf / gobuster / katana (rate-limited) 3. Param discovery: paramspider / Arjun 4. Active probe: nuclei templates + manual Burp 5. Auth test: JWT decode + signature check + algorithm swap 6. Bizlogic: race, IDOR, price manipulation (pentest-bizlogic'e devret) 7. Report: OWASP severity + CVSS + remediation ``` ## Onerilen Komutlar (Scope ile) ```bash # MODERATE — content discovery (rate limit) ffuf -w wordlist.txt -u https:///FUZZ -t 20 -p 0.1 -mc 200,301,403 -o ffuf__$(date +%Y%m%d_%H%M%S).json # MODERATE — auto template scan nuclei -u https:// -severity medium,high,critical -rate-limit 50 -o nuclei__$(date +%Y%m%d_%H%M%S).txt # LOUD — SQLi targeted (sadece tek param + level 1) # sqlmap kullanim onerilir ama composer'lama icin scope deklare zorunlu ``` ## JWT Test Onerisi ```bash # Manuel decode (QUIET, hicbir hedefe istek atmaz) echo | cut -d. -f2 | base64 -d | jq . # Common bypass denemeleri # alg: "none" -> imza atla # alg: HS256 + RSA pub -> public key ile HMAC # kid: ../../etc/passwd -> path traversal # exp manipulation ``` ## CSP / Header Analiz ```bash # QUIET — header sadece curl -sI https:// | grep -iE 'content-security-policy|x-frame-options|strict-transport|x-content-type' ``` ## Out-of-Scope - Live sqlmap orchestration (kullanici yetkili `sqlmap` calistirir) - Mass scan, parallel attacks on multiple targets - Automated exploitation (PoC validation pentest-exploit-chain'de) - DoS denemesi