hoangnguyen0403/common-pentest-methodology

Penetration Testing Methodology (PTES-Aligned)

Priority: P0 (CRITICAL)

Always-Apply Rules

• No Exploit = No Report: Every finding requires reproducible Proof-of-Concept. Hypotheses without PoC are discarded.
• No Production Testing: All dynamic probes target local/staging only. Confirm authorization before Phase 1.
• No Single-Platform Bias: Assess backend, frontend, AND mobile surfaces when in-scope.

Workflow

Load alongside /pentest workflow. Provides methodology backbone for all 7 phases.

1. Scope → Define test mode (whitebox/greybox/blackbox), platforms, exclusions.
2. Recon → Build asset inventory per platform. See platform-recon.
3. Threat Model → Rank endpoints by risk. See threat-modeling.
4. Analyze → Run vulnerability matrix across all domains. Load common-owasp, common-security-audit, common-dast-tooling.
5. Exploit → Validate each finding with PoC. See exploit-techniques.
6. Post-Exploit → Assess blast radius, lateral movement, privilege escalation.
7. Report → Audit-grade output with CVSS scoring. See report-template and compliance-mapping.

Platform Coverage Matrix

| Domain | Backend/API | Frontend/Web | Mobile (iOS/Android) | |---|---|---|---| | Injection | SQLi, CMDi, NoSQLi, LDAPi | Template injection, DOM sinks | Content provider SQLi, Intent injection | | XSS | Response encoding | DOM XSS, innerHTML, framework bypasses | WebView loadUrl, JavaScript bridges | | Auth | JWT, OAuth, Session, MFA | Token storage, session management | Keychain/Keystore, biometric bypass | | AuthZ | BOLA/IDOR, BFLA, Mass Assignment | Client-side role gates | Local permission checks without server | | SSRF | HTTP client + user URL | SSR with user-supplied URL | Custom scheme fetching arbitrary URLs | | Business Logic | Race conditions, workflow bypass | Client-only validation, price tamper | IAP bypass, receipt validation skip | | Crypto | Weak hash, missing TLS | HTTP calls, weak CSP | Missing cert pin, cleartext traffic | | Config | CORS, debug mode, headers | Source maps, debug flags in prod | debuggable=true, ATS exceptions | | Deps/SCA | npm audit, pip-audit, cargo audit | Bundle vuln analysis | pod audit, Gradle dependency scan | | Secrets | Entropy + regex + liveness | Secrets in JS bundles | Keys in BuildConfig/Info.plist | | LLM/AI | Prompt injection, excessive agency | Output to DOM sinks | Agent tools without confirmation |

Continuous & Compliance Execution

• Continuous Testing: Execute Delta scans on PRs or Replay regression PoCs. See continuous-pentest.
• Compliance Mapping: Map findings to SOC 2, ISO 27001, PCI DSS, or OWASP MASVS. See compliance-mapping.

Anti-Patterns

• No "scan and dump": Raw tool output not a pentest. Correlate findings across SAST + DAST + manual.
• No severity inflation: Theoretical risk without exploit evidence ≠ confirmed vulnerability.
• No happy-path-only: Test error states, edge cases, race conditions, not just golden flow.

References

• Platform Reconnaissance — Phase 1 recon commands per platform
• Threat Modeling Guide — Phase 2 attack surface prioritization
• Exploit Techniques — Phase 4 PoC construction per vuln class
• Report Template — Phase 6 audit-grade report format
• OWASP Mobile Top 10 — Mobile vulnerability detection
• Compliance Mapping — SOC 2, ISO 27001, PCI DSS mapping
• Continuous Pentesting — CI/CD integration and Delta testing