santosomar/pt-web-application-assessment
skills/pt-web-application-assessment/SKILL.md
Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws. Use when assessing websites, web APIs, authentication flows, session handling, and input validation.
$ install --global
skillsauthnpx skillsauth add santosomar/ethical-hacking-agent-skills pt-web-application-assessmentInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 6:20 PM54.2s1 file scanned
SKILL.md
- name:
- pt-web-application-assessment
- description:
- Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws. Use when assessing websites, web APIs, authentication flows, session handling, and input validation.
Web Application Assessment
Authorized Use Only
Test only approved applications, domains, and endpoints. Respect rate limits and data handling constraints. Use non-destructive proofs and avoid unauthorized data extraction.
Objectives
- Identify exploitable weaknesses in web apps and APIs.
- Validate authentication, authorization, session, and input controls.
- Prioritize findings by exploitability and business impact.
Workflow
- Map attack surface:
- Endpoints, parameters, methods, auth requirements, role boundaries
- Hidden/admin routes, API schema, and third-party integrations
- Test control families:
- Authentication and session management
- Authorization and access control (horizontal/vertical)
- Input handling and output encoding
- Business logic and workflow abuse
- Validate high-impact classes:
- Injection paths, XSS, access control failures, insecure object access
- Sensitive data exposure, misconfiguration, weak secrets handling
- Confirm exploitability:
- Use constrained PoCs and reproducible steps
- Document bypass conditions and security control failures
- Produce remediation guidance:
- Secure coding fixes plus operational controls
- Regression test cases to prevent reintroduction
Output Template
# Web App Assessment Output
## Coverage
- Application/API in scope:
- Roles tested:
- Key workflows:
## Findings
- Finding:
- Endpoint/feature:
- Preconditions:
- Evidence:
- Impact:
- Fix recommendation:
- Regression test idea:
## Attack Path Summary
- Initial condition:
- Exploit chain:
- Business consequence:
Quality Checks
- Findings include exact endpoint/workflow context.
- PoCs remain non-destructive and reproducible.
- Recommendations include both code and configuration controls.
Related Skills
santosomar/pt-scanning
testing
VerifiedTrustedCommunity
Performs authorized security scanning using static, dynamic, and vulnerability-focused methods. Use when mapping exposed services, profiling application behavior, and identifying known weaknesses for validation.
12SKILL.mdUpdated Apr 25, 2026
santosomar/pt-report-creation
testing
VerifiedTrustedCommunity
Creates penetration test deliverables for executive and technical audiences, including prioritized findings and remediation plans. Use when drafting, structuring, or finalizing pen test reports from collected evidence.
12SKILL.mdUpdated Apr 25, 2026
santosomar/pt-post-exploitation
testing
VerifiedTrustedCommunity
Performs authorized post-exploitation activities to assess impact, lateral movement paths, credential exposure, and detection gaps after initial compromise. Use when a foothold has been validated and the test requires controlled impact expansion analysis.
12SKILL.mdUpdated Apr 25, 2026
santosomar/pt-planning-recon
development
VerifiedTrustedCommunity
Defines penetration test scope and performs authorized reconnaissance using passive and active methods. Use when planning a test engagement, collecting target intelligence, building asset inventories, or preparing recon findings.
12SKILL.mdUpdated Apr 25, 2026