@soulofzephir/pi-skill-pentesting 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "name": "@soulofzephir/pi-skill-pentesting",
3
- "version": "1.0.0",
3
+ "version": "1.0.1",
4
4
  "description": "Comprehensive pentesting & security check skill for Pi coding agent - headers, ports, SQLi, XSS, OWASP Top 10",
5
5
  "keywords": [
6
6
  "pi",
7
- "pi-package",
7
+ "pi-package",
8
8
  "pi-skill",
9
9
  "pentesting",
10
10
  "security",
@@ -1,28 +1,30 @@
1
1
  ---
2
2
  name: pentesting
3
- description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, and SSL/TLS audit. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, or bug bounty testing. Generates reports to site/domainname-date.md format.
3
+ description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, SSL/TLS audit, exposed files detection, CORS, JWT, and GraphQL security testing. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, exposed files, CORS, JWT, GraphQL, or bug bounty testing. Generates reports to site/domainname-date.md format.
4
4
  ---
5
5
 
6
6
  # 🛡️ Pentesting & Security Check Skill
7
7
 
8
- > **AUTHOR:** Rz | **VERSION:** 2.0 | **LAST UPDATED:** 2025-07-05
8
+ > **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 3.0 | **LAST UPDATED:** 2025-07-05
9
9
 
10
10
  ---
11
11
 
12
- ## 📋 CAPABILITIES OVERVIEW
12
+ ## 📋 CAPABILITIES OVERVIEW (v3.0)
13
13
 
14
- This skill provides **COMPREHENSIVE PENTESTING** capabilities:
15
-
16
- | Category | Coverage | Automated |
17
- |----------|----------|-----------|
14
+ | Category | Coverage | Status |
15
+ |----------|----------|--------|
18
16
  | **Security Headers** | 9 critical headers | ✅ Script |
19
- | **Port Scanning** | 20+ common ports | ✅ Nmap/Script |
17
+ | **Port Scanning** | 20+ common ports | ✅ Script |
20
18
  | **SQL Injection** | Union, Blind, Time-based | ✅ SQLMap + Manual |
21
19
  | **XSS Testing** | Reflected, Stored, DOM | ✅ Payloads + Tools |
22
20
  | **Command Injection** | Linux & Windows | ✅ Commix + Manual |
23
21
  | **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
24
22
  | **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
25
23
  | **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
24
+ | **Exposed Files** | .env, .git, backups, debug | ✅ **NEW** |
25
+ | **CORS Security** | Misconfiguration tests | ✅ **NEW** |
26
+ | **JWT Security** | Algorithm attacks, brute force | ✅ **NEW** |
27
+ | **GraphQL Security** | Introspection, DoS, injection | ✅ **NEW** |
26
28
  | **Report Generation** | .md format | ✅ Auto |
27
29
 
28
30
  ---
@@ -38,24 +40,23 @@ This skill auto-loads when user mentions:
38
40
  - port scan, open ports, network scan
39
41
  - SQL injection, SQLi, XSS, command injection
40
42
  - OWASP, OWASP Top 10
43
+ - exposed files, .env, .git exposed
44
+ - CORS, JWT, GraphQL security
41
45
  - "test keamanan", "cek security", "audit keamanan"
42
46
 
43
47
  ---
44
48
 
45
- ## ⚡ COMPLETE TEST CHECKLIST
46
-
47
- For a **comprehensive security assessment**, run these tests in order:
49
+ ## ⚡ COMPLETE TEST CHECKLIST (10+ Phases)
48
50
 
49
- ### Phase 1: Reconnaissance (Information Gathering)
51
+ ### Phase 1: Reconnaissance
50
52
  ```
51
- [ ] Domain enumeration (subdomains, WHOIS)
52
- [ ] Technology fingerprinting (CMS, framework, libraries)
53
- [ ] Directory enumeration (/admin, /api, /backup)
53
+ [ ] Domain enumeration
54
+ [ ] Technology fingerprinting
55
+ [ ] Directory enumeration
54
56
  [ ] Parameter discovery
55
- [ ] Social media / leak analysis
56
57
  ```
57
58
 
58
- ### Phase 2: Security Headers Analysis
59
+ ### Phase 2: Security Headers (9 Headers)
59
60
  ```
60
61
  [ ] Content-Security-Policy (CSP)
61
62
  [ ] Strict-Transport-Security (HSTS)
@@ -64,218 +65,143 @@ For a **comprehensive security assessment**, run these tests in order:
64
65
  [ ] Referrer-Policy
65
66
  [ ] Permissions-Policy
66
67
  [ ] Cache-Control
67
- [ ] Server header (version hiding)
68
- [ ] X-Powered-By (tech hiding)
69
- [ ] Cross-Origin policies (COOP, CORP, COEP)
68
+ [ ] Server header (hide version)
69
+ [ ] X-Powered-By (hide tech)
70
70
  ```
71
71
 
72
- ### Phase 3: Port & Network Scanning
72
+ ### Phase 3: Exposed Files & Information Disclosure 🔴 **NEW**
73
+ ```
74
+ [ ] .env file accessible?
75
+ [ ] .git directory exposed?
76
+ [ ] Backup files (zip, sql, bak)
77
+ [ ] Debug/Admin panels accessible
78
+ [ ] Sensitive configuration files
79
+ [ ] Spring Boot Actuator endpoints
80
+ [ ] API documentation exposed
81
+ [ ] Log files accessible
82
+ [ ] robots.txt (reveals paths)
83
+ [ ] Security.txt endpoint
84
+ ```
85
+
86
+ ### Phase 4: Port & Network Scanning
73
87
  ```
74
88
  [ ] Full port scan (1-65535)
75
89
  [ ] Service version detection
76
- [ ] High-risk port exposure check:
77
- [ ] Port 22 (SSH) - brute force, key-only?
78
- [ ] Port 3306 (MySQL) - remote access?
79
- [ ] Port 5432 (PostgreSQL) - remote access?
80
- [ ] Port 27017 (MongoDB) - no-auth?
81
- [ ] Port 6379 (Redis) - no-auth?
82
- [ ] Port 11211 (Memcached) - DDoS risk?
83
- [ ] Port 2375 (Docker) - NEVER expose!
84
- [ ] Port 9200 (Elasticsearch) - data exposure?
85
- ```
86
-
87
- ### Phase 4: SSL/TLS Audit
88
- ```
89
- [ ] Certificate validity (not expired, trusted CA)
90
- [ ] TLS version (no SSLv3, TLS 1.0, TLS 1.1)
91
- [ ] Weak ciphers disabled?
90
+ [ ] High-risk port exposure:
91
+ [ ] Port 3306 (MySQL)
92
+ [ ] Port 5432 (PostgreSQL)
93
+ [ ] Port 27017 (MongoDB)
94
+ [ ] Port 6379 (Redis)
95
+ [ ] Port 2375 (Docker)
96
+ [ ] Port 9200 (Elasticsearch)
97
+ ```
98
+
99
+ ### Phase 5: SSL/TLS Audit
100
+ ```
101
+ [ ] Certificate validity
102
+ [ ] TLS version (no 1.0/1.1)
103
+ [ ] Weak ciphers
92
104
  [ ] HSTS implementation
93
- [ ] Certificate chain complete?
94
- [ ] Self-signed cert check
95
- [ ] OCSP stapling enabled?
105
+ [ ] OCSP stapling
96
106
  ```
97
107
 
98
- ### Phase 5: Authentication Testing
108
+ ### Phase 6: Authentication Testing
99
109
  ```
100
- [ ] Login page brute force protection
101
- [ ] Password policy enforcement
110
+ [ ] Brute force protection
111
+ [ ] Password policy
102
112
  [ ] MFA availability
103
- [ ] Session management:
104
- [ ] Session ID randomness
105
- [ ] Session timeout
106
- [ ] HttpOnly cookies
107
- [ ] Secure cookies
108
- [ ] SameSite attribute
109
- [ ] Password reset flow:
110
- [ ] Token randomness
111
- [ ] Token expiration
112
- [ ] Email enumeration
113
- [ ] Account lockout policy
114
- [ ] CAPTCHA implementation
115
- ```
116
-
117
- ### Phase 6: Injection Testing
118
- ```
119
- [ ] SQL Injection:
120
- [ ] UNION-based
121
- [ ] Boolean-based blind
122
- [ ] Time-based blind
123
- [ ] Error-based
124
- [ ] Stacked queries
125
- [ ] XSS (Cross-Site Scripting):
126
- [ ] Reflected XSS
127
- [ ] Stored/Persistent XSS
128
- [ ] DOM-based XSS
129
- [ ] Polyglot XSS
130
- [ ] Command Injection:
131
- [ ] Linux commands
132
- [ ] Windows commands
133
- [ ] XXE (XML External Entity)
134
- [ ] LDAP Injection
135
- [ ] XPath Injection
136
- [ ] SSTI (Server-Side Template Injection)
137
- [ ] SSTRF (Server-Side Request Forgery)
138
- [ ] Expression Language Injection
139
- ```
140
-
141
- ### Phase 7: Business Logic Testing
142
- ```
143
- [ ] IDOR (Insecure Direct Object Reference)
144
- [ ] Horizontal privilege escalation
145
- [ ] Vertical privilege escalation
146
- [ ] Price/total manipulation
147
- [ ] Quantity manipulation
148
- [ ] Coupon/promotion abuse
149
- [ ] Race condition (concurrency)
150
- [ ] Workflow bypass
151
- [ ] Mass assignment
152
- ```
153
-
154
- ### Phase 8: API Security
155
- ```
156
- [ ] REST API testing:
157
- [ ] Authorization bypass
158
- [ ] Rate limiting
159
- [ ] Input validation
160
- [ ] CORS misconfiguration
161
- [ ] GraphQL testing:
162
- [ ] Introspection enabled?
163
- [ ] Query complexity
164
- [ ] Depth limiting
165
- [ ] JWT testing:
166
- [ ] Algorithm confusion
167
- [ ] Weak secret
168
- [ ] Token expiration
169
- [ ] None algorithm
170
- [ ] API versioning issues
171
- ```
172
-
173
- ### Phase 9: OWASP Top 10
174
- ```
175
- [ ] A01 - Broken Access Control
176
- [ ] Vertical privilege escalation
177
- [ ] Horizontal privilege escalation
178
- [ ] IDOR
179
- [ ] CORS misconfiguration
180
- [ ] A02 - Cryptographic Failures
181
- [ ] Sensitive data exposure
182
- [ ] Weak encryption
183
- [ ] Default crypto
184
- [ ] Insecure key management
185
- [ ] A03 - Injection
186
- [ ] SQL Injection
187
- [ ] XSS
188
- [ ] Command Injection
189
- [ ] LDAP/XXE/XPath
190
- [ ] A04 - Insecure Design
191
- [ ] Missing rate limiting
192
- [ ] Business logic flaws
193
- [ ] Credential stuffing protection
194
- [ ] A05 - Security Misconfiguration
195
- [ ] Default credentials
196
- [ ] Debug mode
197
- [ ] Directory listing
198
- [ ] Unnecessary features
199
- [ ] Error handling
200
- [ ] A06 - Vulnerable Components
201
- [ ] Outdated libraries
202
- [ ] Known CVEs
203
- [ ] Unmaintained dependencies
204
- [ ] A07 - Identification & Auth Failures
205
- [ ] Weak passwords
206
- [ ] Session management
207
- [ ] Credential exposure
208
- [ ] A08 - Software & Data Integrity
209
- [ ] Insecure deserialization
210
- [ ] CI/CD issues
211
- [ ] Auto-update integrity
212
- [ ] A09 - Logging & Monitoring
213
- [ ] No audit logging
214
- [ ] Failed login tracking
215
- [ ] Alert fatigue
216
- [ ] A10 - SSRF
217
- [ ] URL validation bypass
218
- [ ] Internal network access
219
- [ ] Cloud metadata access
113
+ [ ] Session management (HttpOnly, Secure, SameSite)
114
+ [ ] Password reset flow
220
115
  ```
221
116
 
222
- ### Phase 10: Client-Side Testing
117
+ ### Phase 7: Injection Testing
223
118
  ```
224
- [ ] CORS misconfiguration
225
- [ ] WebSocket testing
226
- [ ] WebRTC leakage
227
- [ ] Service Worker security
228
- [ ] Browser storage (localStorage, sessionStorage)
229
- [ ] Cookies security attributes
230
- [ ] JWT in localStorage vs HttpOnly cookie
119
+ [ ] SQL Injection (5 types)
120
+ [ ] XSS (4 types)
121
+ [ ] Command Injection
122
+ [ ] XXE
123
+ [ ] LDAP Injection
124
+ [ ] SSTI
125
+ [ ] SSRF
231
126
  ```
232
127
 
233
- ---
234
-
235
- ## ⚡ WORKFLOW (Follow in Order)
236
-
237
- ### Step 1: Confirm Scope
128
+ ### Phase 8: CORS Security 🔴 **NEW**
238
129
  ```
239
- 1. Target URL/IP: [user input]
240
- 2. Testing type: [Full / Targeted]
241
- 3. Authorization: [User owns this / Has permission]
130
+ [ ] Wildcard origin check
131
+ [ ] Credentials with wildcard
132
+ [ ] Null origin allowed?
133
+ [ ] Internal IPs allowed?
134
+ [ ] Sensitive endpoints CORS
242
135
  ```
243
136
 
244
- ### Step 2: Run Tests (follow Complete Test Checklist above)
245
-
246
- ### Step 3: Generate Report
247
-
248
- **IMPORTANT:** Always save report to:
137
+ ### Phase 9: JWT Security 🔴 **NEW**
249
138
  ```
250
- site/[domain]-[YYYY-MM-DD].md
139
+ [ ] Algorithm confusion (RS256→HS256)
140
+ [ ] alg:none bypass
141
+ [ ] Weak secret brute force
142
+ [ ] Null signature accepted
143
+ [ ] Token manipulation (exp, iat, sub)
144
+ [ ] JWKS cache poisoning
251
145
  ```
252
146
 
253
- Example:
147
+ ### Phase 10: GraphQL Security 🔴 **NEW**
254
148
  ```
255
- site/example.com-2025-07-05.md
256
- site/api.target.com-2025-07-05.md
257
- site/subdomain.target.com-2025-07-05.md
149
+ [ ] Introspection enabled?
150
+ [ ] GraphQL IDE exposed
151
+ [ ] Authorization bypass (IDOR)
152
+ [ ] Batch query attack
153
+ [ ] Depth-based DoS
154
+ [ ] SQL/NoSQL Injection
258
155
  ```
259
156
 
260
- ---
261
-
262
- ## 🔧 TOOLS & SCRIPTS
263
-
264
- Scripts available in `tools/`:
157
+ ### Phase 11: OWASP Top 10 (A01-A10)
265
158
  ```
266
- tools/
267
- ├── header-scan.sh # Linux/Mac headers
268
- ├── header-scan.ps1 # Windows headers
269
- └── security-scan.ps1 # Windows ALL-IN-ONE
159
+ [ ] A01 - Broken Access Control
160
+ [ ] A02 - Cryptographic Failures
161
+ [ ] A03 - Injection
162
+ [ ] A04 - Insecure Design
163
+ [ ] A05 - Security Misconfiguration
164
+ [ ] A06 - Vulnerable Components
165
+ [ ] A07 - Auth Failures
166
+ [ ] A08 - Data Integrity
167
+ [ ] A09 - Logging Failures
168
+ [ ] A10 - SSRF
270
169
  ```
271
170
 
272
- Checklists available in `checklists/`:
171
+ ### Phase 12: Business Logic & API
172
+ ```
173
+ [ ] IDOR
174
+ [ ] Privilege escalation
175
+ [ ] Price manipulation
176
+ [ ] API security (REST/GraphQL)
177
+ [ ] Rate limiting
273
178
  ```
274
- checklists/
275
- ├── headers.md # 9 headers detail
276
- ├── owasp.md # OWASP Top 10
277
- ├── ports.md # Port scanning
278
- └── injection.md # All injection types
179
+
180
+ ---
181
+
182
+ ## 🔧 TOOLS LOCATION
183
+
184
+ ```
185
+ skills/pentesting/
186
+ ├── SKILL.md # This file
187
+ ├── checklists/
188
+ │ ├── headers.md # 9 headers detail
189
+ │ ├── owasp.md # OWASP Top 10
190
+ │ ├── ports.md # Port scanning
191
+ │ ├── injection.md # All injection types
192
+ │ ├── exposed-files.md # 🔴 NEW - Exposed files
193
+ │ ├── cors.md # 🔴 NEW - CORS security
194
+ │ ├── jwt.md # 🔴 NEW - JWT security
195
+ │ └── graphql.md # 🔴 NEW - GraphQL security
196
+ ├── tools/
197
+ │ ├── header-scan.sh # Linux/Mac headers
198
+ │ ├── header-scan.ps1 # Windows headers
199
+ │ ├── exposed-files-scan.sh # 🔴 NEW - Exposed files
200
+ │ ├── exposed-files-scan.ps1 # 🔴 NEW - Exposed files
201
+ │ ├── full-scan.sh # 🔴 NEW - All-in-one Linux
202
+ │ └── full-scan.ps1 # 🔴 NEW - All-in-one Windows
203
+ └── reports/
204
+ └── template.md # Report template
279
205
  ```
280
206
 
281
207
  ---
@@ -292,16 +218,30 @@ chmod +x tools/header-scan.sh
292
218
  .\tools\header-scan.ps1 -Target https://target.com
293
219
  ```
294
220
 
221
+ ### Exposed Files Scan 🔴 NEW
222
+ ```bash
223
+ # Linux/Mac
224
+ chmod +x tools/exposed-files-scan.sh
225
+ ./tools/exposed-files-scan.sh https://target.com
226
+
227
+ # Windows PowerShell
228
+ .\tools\exposed-files-scan.ps1 -Target https://target.com
229
+ ```
230
+
231
+ ### Full Security Scan (All-in-One) 🔴 NEW
232
+ ```bash
233
+ # Linux/Mac
234
+ chmod +x tools/full-scan.sh
235
+ ./tools/full-scan.sh https://target.com
236
+
237
+ # Windows PowerShell
238
+ .\tools\full-scan.ps1 -Target https://target.com
239
+ ```
240
+
295
241
  ### Port Scanning
296
242
  ```bash
297
- # Nmap quick
298
243
  nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
299
-
300
- # Full scan
301
244
  nmap -p- -sV target.com
302
-
303
- # Nmap with scripts
304
- nmap -sC -sV -p- target.com
305
245
  ```
306
246
 
307
247
  ### Vulnerability Scanning
@@ -319,12 +259,6 @@ dalfox url https://target.com/search?q=test
319
259
  commix -u "http://target.com/ping?ip=127.0.0.1"
320
260
  ```
321
261
 
322
- ### Full Scan
323
- ```powershell
324
- # Windows - All in one
325
- .\tools\security-scan.ps1 -Target https://target.com
326
- ```
327
-
328
262
  ---
329
263
 
330
264
  ## 📊 OUTPUT FORMAT
@@ -347,7 +281,7 @@ F (0-29): Critical
347
281
  ```
348
282
 
349
283
  ### Report File
350
- **Format:** `site/[domain]-[YYYY-MM-DD].md`
284
+ **Format:** `site/[domain]-[date].md`
351
285
 
352
286
  ---
353
287
 
@@ -363,14 +297,17 @@ F (0-29): Critical
363
297
 
364
298
  ## 🆘 HELP COMMANDS
365
299
 
366
- If user asks:
367
300
  - "apa bisa ini?" → Show CAPABILITIES OVERVIEW
368
301
  - "cara pakai" → Show QUICK COMMANDS
369
302
  - "test sekarang" → Start the test workflow
370
- - "check [target]" → Start security scan + save to site/[domain]-[date].md
303
+ - "check [target]" → Full scan + save report
371
304
  - "scan headers" → Run header scan
305
+ - "scan exposed files" → Run exposed files scan
306
+ - "full scan" → Run all-in-one scanner
372
307
  - "test SQL injection" → Load SQLi payloads
373
- - "complete checklist" → Show COMPLETE TEST CHECKLIST
308
+ - "test CORS" → Load CORS checklist
309
+ - "test JWT" → Load JWT checklist
310
+ - "test GraphQL" → Load GraphQL checklist
374
311
 
375
312
  ---
376
313
 
@@ -378,16 +315,22 @@ If user asks:
378
315
 
379
316
  ```
380
317
  User: "pentest untuk website ini: example.com"
381
- Load SKILL → Start full pentest workflow → Generate site/example.com-2025-07-05.md
318
+ Full pentest workflow → site/example.com-2025-07-05.md
382
319
 
383
320
  User: "security audit untuk target.com"
384
- Load SKILL → Run all tests → Generate site/target.com-2025-07-05.md
321
+ → Run all tests → site/target.com-2025-07-05.md
322
+
323
+ User: "check exposed files di website ini"
324
+ → Run exposed files scan → site/target.com-exposed-2025-07-05.md
325
+
326
+ User: "test CORS di api.target.com"
327
+ → Run CORS security tests
385
328
 
386
- User: "OWASP check untuk API"
387
- Load SKILL → Run OWASP Top 10 checklist
329
+ User: "audit JWT security"
330
+ → Run JWT security checklist
388
331
 
389
- User: "scan subdomain ini: api.target.com"
390
- Load SKILL Run all tests → Generate site/api.target.com-2025-07-05.md
332
+ User: "GraphQL security check"
333
+ Run GraphQL security tests
391
334
  ```
392
335
 
393
336
  ---
@@ -395,5 +338,6 @@ User: "scan subdomain ini: api.target.com"
395
338
  ## ✅ SKILL READY
396
339
 
397
340
  **Status:** ACTIVE & READY FOR USE
398
- **Version:** 2.0
341
+ **Version:** 3.0
399
342
  **Author:** Rz (@soulofzephir)
343
+ **Last Updated:** 2025-07-05