@soulofzephir/pi-skill-pentesting 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "name": "@soulofzephir/pi-skill-pentesting",
3
- "version": "1.0.0",
3
+ "version": "1.0.2",
4
4
  "description": "Comprehensive pentesting & security check skill for Pi coding agent - headers, ports, SQLi, XSS, OWASP Top 10",
5
5
  "keywords": [
6
6
  "pi",
7
- "pi-package",
7
+ "pi-package",
8
8
  "pi-skill",
9
9
  "pentesting",
10
10
  "security",
@@ -1,28 +1,30 @@
1
1
  ---
2
2
  name: pentesting
3
- description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, and SSL/TLS audit. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, or bug bounty testing. Generates reports to site/domainname-date.md format.
3
+ description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, SSL/TLS audit, exposed files detection, CORS, JWT, and GraphQL security testing. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, exposed files, CORS, JWT, GraphQL, or bug bounty testing. Generates reports to site/domainname-date.md format.
4
4
  ---
5
5
 
6
6
  # 🛡️ Pentesting & Security Check Skill
7
7
 
8
- > **AUTHOR:** Rz | **VERSION:** 2.0 | **LAST UPDATED:** 2025-07-05
8
+ > **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 3.0 | **LAST UPDATED:** 2025-07-05
9
9
 
10
10
  ---
11
11
 
12
- ## 📋 CAPABILITIES OVERVIEW
12
+ ## 📋 CAPABILITIES OVERVIEW (v3.0)
13
13
 
14
- This skill provides **COMPREHENSIVE PENTESTING** capabilities:
15
-
16
- | Category | Coverage | Automated |
17
- |----------|----------|-----------|
14
+ | Category | Coverage | Status |
15
+ |----------|----------|--------|
18
16
  | **Security Headers** | 9 critical headers | ✅ Script |
19
- | **Port Scanning** | 20+ common ports | ✅ Nmap/Script |
17
+ | **Port Scanning** | 20+ common ports | ✅ Script |
20
18
  | **SQL Injection** | Union, Blind, Time-based | ✅ SQLMap + Manual |
21
19
  | **XSS Testing** | Reflected, Stored, DOM | ✅ Payloads + Tools |
22
20
  | **Command Injection** | Linux & Windows | ✅ Commix + Manual |
23
21
  | **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
24
22
  | **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
25
23
  | **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
24
+ | **Exposed Files** | .env, .git, backups, debug | ✅ **NEW** |
25
+ | **CORS Security** | Misconfiguration tests | ✅ **NEW** |
26
+ | **JWT Security** | Algorithm attacks, brute force | ✅ **NEW** |
27
+ | **GraphQL Security** | Introspection, DoS, injection | ✅ **NEW** |
26
28
  | **Report Generation** | .md format | ✅ Auto |
27
29
 
28
30
  ---
@@ -38,24 +40,25 @@ This skill auto-loads when user mentions:
38
40
  - port scan, open ports, network scan
39
41
  - SQL injection, SQLi, XSS, command injection
40
42
  - OWASP, OWASP Top 10
43
+ - exposed files, .env, .git exposed
44
+ - CORS, JWT, GraphQL security
41
45
  - "test keamanan", "cek security", "audit keamanan"
46
+ - **"test skill", "check skill", "validate skill"**
47
+ - **"skill health", "skill status", "skill diagnostics"**
42
48
 
43
49
  ---
44
50
 
45
- ## ⚡ COMPLETE TEST CHECKLIST
46
-
47
- For a **comprehensive security assessment**, run these tests in order:
51
+ ## ⚡ COMPLETE TEST CHECKLIST (10+ Phases)
48
52
 
49
- ### Phase 1: Reconnaissance (Information Gathering)
53
+ ### Phase 1: Reconnaissance
50
54
  ```
51
- [ ] Domain enumeration (subdomains, WHOIS)
52
- [ ] Technology fingerprinting (CMS, framework, libraries)
53
- [ ] Directory enumeration (/admin, /api, /backup)
55
+ [ ] Domain enumeration
56
+ [ ] Technology fingerprinting
57
+ [ ] Directory enumeration
54
58
  [ ] Parameter discovery
55
- [ ] Social media / leak analysis
56
59
  ```
57
60
 
58
- ### Phase 2: Security Headers Analysis
61
+ ### Phase 2: Security Headers (9 Headers)
59
62
  ```
60
63
  [ ] Content-Security-Policy (CSP)
61
64
  [ ] Strict-Transport-Security (HSTS)
@@ -64,224 +67,160 @@ For a **comprehensive security assessment**, run these tests in order:
64
67
  [ ] Referrer-Policy
65
68
  [ ] Permissions-Policy
66
69
  [ ] Cache-Control
67
- [ ] Server header (version hiding)
68
- [ ] X-Powered-By (tech hiding)
69
- [ ] Cross-Origin policies (COOP, CORP, COEP)
70
+ [ ] Server header (hide version)
71
+ [ ] X-Powered-By (hide tech)
72
+ ```
73
+
74
+ ### Phase 3: Exposed Files & Information Disclosure 🔴 **NEW**
75
+ ```
76
+ [ ] .env file accessible?
77
+ [ ] .git directory exposed?
78
+ [ ] Backup files (zip, sql, bak)
79
+ [ ] Debug/Admin panels accessible
80
+ [ ] Sensitive configuration files
81
+ [ ] Spring Boot Actuator endpoints
82
+ [ ] API documentation exposed
83
+ [ ] Log files accessible
84
+ [ ] robots.txt (reveals paths)
85
+ [ ] Security.txt endpoint
70
86
  ```
71
87
 
72
- ### Phase 3: Port & Network Scanning
88
+ ### Phase 4: Port & Network Scanning
73
89
  ```
74
90
  [ ] Full port scan (1-65535)
75
91
  [ ] Service version detection
76
- [ ] High-risk port exposure check:
77
- [ ] Port 22 (SSH) - brute force, key-only?
78
- [ ] Port 3306 (MySQL) - remote access?
79
- [ ] Port 5432 (PostgreSQL) - remote access?
80
- [ ] Port 27017 (MongoDB) - no-auth?
81
- [ ] Port 6379 (Redis) - no-auth?
82
- [ ] Port 11211 (Memcached) - DDoS risk?
83
- [ ] Port 2375 (Docker) - NEVER expose!
84
- [ ] Port 9200 (Elasticsearch) - data exposure?
85
- ```
86
-
87
- ### Phase 4: SSL/TLS Audit
88
- ```
89
- [ ] Certificate validity (not expired, trusted CA)
90
- [ ] TLS version (no SSLv3, TLS 1.0, TLS 1.1)
91
- [ ] Weak ciphers disabled?
92
+ [ ] High-risk port exposure:
93
+ [ ] Port 3306 (MySQL)
94
+ [ ] Port 5432 (PostgreSQL)
95
+ [ ] Port 27017 (MongoDB)
96
+ [ ] Port 6379 (Redis)
97
+ [ ] Port 2375 (Docker)
98
+ [ ] Port 9200 (Elasticsearch)
99
+ ```
100
+
101
+ ### Phase 5: SSL/TLS Audit
102
+ ```
103
+ [ ] Certificate validity
104
+ [ ] TLS version (no 1.0/1.1)
105
+ [ ] Weak ciphers
92
106
  [ ] HSTS implementation
93
- [ ] Certificate chain complete?
94
- [ ] Self-signed cert check
95
- [ ] OCSP stapling enabled?
107
+ [ ] OCSP stapling
96
108
  ```
97
109
 
98
- ### Phase 5: Authentication Testing
110
+ ### Phase 6: Authentication Testing
99
111
  ```
100
- [ ] Login page brute force protection
101
- [ ] Password policy enforcement
112
+ [ ] Brute force protection
113
+ [ ] Password policy
102
114
  [ ] MFA availability
103
- [ ] Session management:
104
- [ ] Session ID randomness
105
- [ ] Session timeout
106
- [ ] HttpOnly cookies
107
- [ ] Secure cookies
108
- [ ] SameSite attribute
109
- [ ] Password reset flow:
110
- [ ] Token randomness
111
- [ ] Token expiration
112
- [ ] Email enumeration
113
- [ ] Account lockout policy
114
- [ ] CAPTCHA implementation
115
- ```
116
-
117
- ### Phase 6: Injection Testing
118
- ```
119
- [ ] SQL Injection:
120
- [ ] UNION-based
121
- [ ] Boolean-based blind
122
- [ ] Time-based blind
123
- [ ] Error-based
124
- [ ] Stacked queries
125
- [ ] XSS (Cross-Site Scripting):
126
- [ ] Reflected XSS
127
- [ ] Stored/Persistent XSS
128
- [ ] DOM-based XSS
129
- [ ] Polyglot XSS
130
- [ ] Command Injection:
131
- [ ] Linux commands
132
- [ ] Windows commands
133
- [ ] XXE (XML External Entity)
134
- [ ] LDAP Injection
135
- [ ] XPath Injection
136
- [ ] SSTI (Server-Side Template Injection)
137
- [ ] SSTRF (Server-Side Request Forgery)
138
- [ ] Expression Language Injection
139
- ```
140
-
141
- ### Phase 7: Business Logic Testing
142
- ```
143
- [ ] IDOR (Insecure Direct Object Reference)
144
- [ ] Horizontal privilege escalation
145
- [ ] Vertical privilege escalation
146
- [ ] Price/total manipulation
147
- [ ] Quantity manipulation
148
- [ ] Coupon/promotion abuse
149
- [ ] Race condition (concurrency)
150
- [ ] Workflow bypass
151
- [ ] Mass assignment
152
- ```
153
-
154
- ### Phase 8: API Security
155
- ```
156
- [ ] REST API testing:
157
- [ ] Authorization bypass
158
- [ ] Rate limiting
159
- [ ] Input validation
160
- [ ] CORS misconfiguration
161
- [ ] GraphQL testing:
162
- [ ] Introspection enabled?
163
- [ ] Query complexity
164
- [ ] Depth limiting
165
- [ ] JWT testing:
166
- [ ] Algorithm confusion
167
- [ ] Weak secret
168
- [ ] Token expiration
169
- [ ] None algorithm
170
- [ ] API versioning issues
171
- ```
172
-
173
- ### Phase 9: OWASP Top 10
174
- ```
175
- [ ] A01 - Broken Access Control
176
- [ ] Vertical privilege escalation
177
- [ ] Horizontal privilege escalation
178
- [ ] IDOR
179
- [ ] CORS misconfiguration
180
- [ ] A02 - Cryptographic Failures
181
- [ ] Sensitive data exposure
182
- [ ] Weak encryption
183
- [ ] Default crypto
184
- [ ] Insecure key management
185
- [ ] A03 - Injection
186
- [ ] SQL Injection
187
- [ ] XSS
188
- [ ] Command Injection
189
- [ ] LDAP/XXE/XPath
190
- [ ] A04 - Insecure Design
191
- [ ] Missing rate limiting
192
- [ ] Business logic flaws
193
- [ ] Credential stuffing protection
194
- [ ] A05 - Security Misconfiguration
195
- [ ] Default credentials
196
- [ ] Debug mode
197
- [ ] Directory listing
198
- [ ] Unnecessary features
199
- [ ] Error handling
200
- [ ] A06 - Vulnerable Components
201
- [ ] Outdated libraries
202
- [ ] Known CVEs
203
- [ ] Unmaintained dependencies
204
- [ ] A07 - Identification & Auth Failures
205
- [ ] Weak passwords
206
- [ ] Session management
207
- [ ] Credential exposure
208
- [ ] A08 - Software & Data Integrity
209
- [ ] Insecure deserialization
210
- [ ] CI/CD issues
211
- [ ] Auto-update integrity
212
- [ ] A09 - Logging & Monitoring
213
- [ ] No audit logging
214
- [ ] Failed login tracking
215
- [ ] Alert fatigue
216
- [ ] A10 - SSRF
217
- [ ] URL validation bypass
218
- [ ] Internal network access
219
- [ ] Cloud metadata access
115
+ [ ] Session management (HttpOnly, Secure, SameSite)
116
+ [ ] Password reset flow
220
117
  ```
221
118
 
222
- ### Phase 10: Client-Side Testing
119
+ ### Phase 7: Injection Testing
223
120
  ```
224
- [ ] CORS misconfiguration
225
- [ ] WebSocket testing
226
- [ ] WebRTC leakage
227
- [ ] Service Worker security
228
- [ ] Browser storage (localStorage, sessionStorage)
229
- [ ] Cookies security attributes
230
- [ ] JWT in localStorage vs HttpOnly cookie
121
+ [ ] SQL Injection (5 types)
122
+ [ ] XSS (4 types)
123
+ [ ] Command Injection
124
+ [ ] XXE
125
+ [ ] LDAP Injection
126
+ [ ] SSTI
127
+ [ ] SSRF
231
128
  ```
232
129
 
233
- ---
234
-
235
- ## ⚡ WORKFLOW (Follow in Order)
236
-
237
- ### Step 1: Confirm Scope
130
+ ### Phase 8: CORS Security 🔴 **NEW**
238
131
  ```
239
- 1. Target URL/IP: [user input]
240
- 2. Testing type: [Full / Targeted]
241
- 3. Authorization: [User owns this / Has permission]
132
+ [ ] Wildcard origin check
133
+ [ ] Credentials with wildcard
134
+ [ ] Null origin allowed?
135
+ [ ] Internal IPs allowed?
136
+ [ ] Sensitive endpoints CORS
242
137
  ```
243
138
 
244
- ### Step 2: Run Tests (follow Complete Test Checklist above)
245
-
246
- ### Step 3: Generate Report
247
-
248
- **IMPORTANT:** Always save report to:
139
+ ### Phase 9: JWT Security 🔴 **NEW**
249
140
  ```
250
- site/[domain]-[YYYY-MM-DD].md
141
+ [ ] Algorithm confusion (RS256→HS256)
142
+ [ ] alg:none bypass
143
+ [ ] Weak secret brute force
144
+ [ ] Null signature accepted
145
+ [ ] Token manipulation (exp, iat, sub)
146
+ [ ] JWKS cache poisoning
251
147
  ```
252
148
 
253
- Example:
149
+ ### Phase 10: GraphQL Security 🔴 **NEW**
254
150
  ```
255
- site/example.com-2025-07-05.md
256
- site/api.target.com-2025-07-05.md
257
- site/subdomain.target.com-2025-07-05.md
151
+ [ ] Introspection enabled?
152
+ [ ] GraphQL IDE exposed
153
+ [ ] Authorization bypass (IDOR)
154
+ [ ] Batch query attack
155
+ [ ] Depth-based DoS
156
+ [ ] SQL/NoSQL Injection
258
157
  ```
259
158
 
260
- ---
261
-
262
- ## 🔧 TOOLS & SCRIPTS
263
-
264
- Scripts available in `tools/`:
159
+ ### Phase 11: OWASP Top 10 (A01-A10)
265
160
  ```
266
- tools/
267
- ├── header-scan.sh # Linux/Mac headers
268
- ├── header-scan.ps1 # Windows headers
269
- └── security-scan.ps1 # Windows ALL-IN-ONE
161
+ [ ] A01 - Broken Access Control
162
+ [ ] A02 - Cryptographic Failures
163
+ [ ] A03 - Injection
164
+ [ ] A04 - Insecure Design
165
+ [ ] A05 - Security Misconfiguration
166
+ [ ] A06 - Vulnerable Components
167
+ [ ] A07 - Auth Failures
168
+ [ ] A08 - Data Integrity
169
+ [ ] A09 - Logging Failures
170
+ [ ] A10 - SSRF
270
171
  ```
271
172
 
272
- Checklists available in `checklists/`:
173
+ ### Phase 12: Business Logic & API
174
+ ```
175
+ [ ] IDOR
176
+ [ ] Privilege escalation
177
+ [ ] Price manipulation
178
+ [ ] API security (REST/GraphQL)
179
+ [ ] Rate limiting
273
180
  ```
274
- checklists/
275
- ├── headers.md # 9 headers detail
276
- ├── owasp.md # OWASP Top 10
277
- ├── ports.md # Port scanning
278
- └── injection.md # All injection types
181
+
182
+ ---
183
+
184
+ ## 🔧 TOOLS LOCATION
185
+
186
+ ```
187
+ skills/pentesting/
188
+ ├── SKILL.md # This file
189
+ ├── checklists/
190
+ │ ├── headers.md # 9 headers detail
191
+ │ ├── owasp.md # OWASP Top 10
192
+ │ ├── ports.md # Port scanning
193
+ │ ├── injection.md # All injection types
194
+ │ ├── exposed-files.md # 🔴 NEW - Exposed files
195
+ │ ├── cors.md # 🔴 NEW - CORS security
196
+ │ ├── jwt.md # 🔴 NEW - JWT security
197
+ │ └── graphql.md # 🔴 NEW - GraphQL security
198
+ ├── tools/
199
+ │ ├── header-scan.sh # Linux/Mac headers
200
+ │ ├── header-scan.ps1 # Windows headers
201
+ │ ├── exposed-files-scan.sh # 🔴 NEW - Exposed files
202
+ │ ├── exposed-files-scan.ps1 # 🔴 NEW - Exposed files
203
+ │ ├── full-scan.sh # 🔴 NEW - All-in-one Linux
204
+ │ └── full-scan.ps1 # 🔴 NEW - All-in-one Windows
205
+ └── reports/
206
+ └── template.md # Report template
279
207
  ```
280
208
 
281
209
  ---
282
210
 
283
211
  ## 🚀 QUICK COMMANDS
284
212
 
213
+ ### Skill Health Check 🔴 **NEW**
214
+ ```bash
215
+ # Windows PowerShell
216
+ .\tools\test-skill.ps1
217
+ .\tools\test-skill.ps1 -Verbose
218
+
219
+ # Linux/Mac
220
+ chmod +x tools/test-skill.sh
221
+ ./tools/test-skill.sh
222
+ ```
223
+
285
224
  ### Security Headers
286
225
  ```bash
287
226
  # Linux/Mac
@@ -292,16 +231,30 @@ chmod +x tools/header-scan.sh
292
231
  .\tools\header-scan.ps1 -Target https://target.com
293
232
  ```
294
233
 
234
+ ### Exposed Files Scan 🔴 NEW
235
+ ```bash
236
+ # Linux/Mac
237
+ chmod +x tools/exposed-files-scan.sh
238
+ ./tools/exposed-files-scan.sh https://target.com
239
+
240
+ # Windows PowerShell
241
+ .\tools\exposed-files-scan.ps1 -Target https://target.com
242
+ ```
243
+
244
+ ### Full Security Scan (All-in-One) 🔴 NEW
245
+ ```bash
246
+ # Linux/Mac
247
+ chmod +x tools/full-scan.sh
248
+ ./tools/full-scan.sh https://target.com
249
+
250
+ # Windows PowerShell
251
+ .\tools\full-scan.ps1 -Target https://target.com
252
+ ```
253
+
295
254
  ### Port Scanning
296
255
  ```bash
297
- # Nmap quick
298
256
  nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
299
-
300
- # Full scan
301
257
  nmap -p- -sV target.com
302
-
303
- # Nmap with scripts
304
- nmap -sC -sV -p- target.com
305
258
  ```
306
259
 
307
260
  ### Vulnerability Scanning
@@ -319,12 +272,6 @@ dalfox url https://target.com/search?q=test
319
272
  commix -u "http://target.com/ping?ip=127.0.0.1"
320
273
  ```
321
274
 
322
- ### Full Scan
323
- ```powershell
324
- # Windows - All in one
325
- .\tools\security-scan.ps1 -Target https://target.com
326
- ```
327
-
328
275
  ---
329
276
 
330
277
  ## 📊 OUTPUT FORMAT
@@ -347,7 +294,7 @@ F (0-29): Critical
347
294
  ```
348
295
 
349
296
  ### Report File
350
- **Format:** `site/[domain]-[YYYY-MM-DD].md`
297
+ **Format:** `site/[domain]-[date].md`
351
298
 
352
299
  ---
353
300
 
@@ -363,14 +310,19 @@ F (0-29): Critical
363
310
 
364
311
  ## 🆘 HELP COMMANDS
365
312
 
366
- If user asks:
367
313
  - "apa bisa ini?" → Show CAPABILITIES OVERVIEW
368
314
  - "cara pakai" → Show QUICK COMMANDS
369
315
  - "test sekarang" → Start the test workflow
370
- - "check [target]" → Start security scan + save to site/[domain]-[date].md
316
+ - "check [target]" → Full scan + save report
371
317
  - "scan headers" → Run header scan
318
+ - "scan exposed files" → Run exposed files scan
319
+ - "full scan" → Run all-in-one scanner
372
320
  - "test SQL injection" → Load SQLi payloads
373
- - "complete checklist" → Show COMPLETE TEST CHECKLIST
321
+ - "test CORS" → Load CORS checklist
322
+ - "test JWT" → Load JWT checklist
323
+ - "test GraphQL" → Load GraphQL checklist
324
+ - **"test skill" / "check skill" / "validate skill"** → Run skill health check
325
+ - **"skill status" / "skill health"** → Show skill installation status
374
326
 
375
327
  ---
376
328
 
@@ -378,16 +330,28 @@ If user asks:
378
330
 
379
331
  ```
380
332
  User: "pentest untuk website ini: example.com"
381
- Load SKILL → Start full pentest workflow → Generate site/example.com-2025-07-05.md
333
+ Full pentest workflow → site/example.com-2025-07-05.md
382
334
 
383
335
  User: "security audit untuk target.com"
384
- Load SKILL → Run all tests → Generate site/target.com-2025-07-05.md
336
+ → Run all tests → site/target.com-2025-07-05.md
337
+
338
+ User: "check exposed files di website ini"
339
+ → Run exposed files scan → site/target.com-exposed-2025-07-05.md
340
+
341
+ User: "test CORS di api.target.com"
342
+ → Run CORS security tests
343
+
344
+ User: "audit JWT security"
345
+ → Run JWT security checklist
346
+
347
+ User: "GraphQL security check"
348
+ → Run GraphQL security tests
385
349
 
386
- User: "OWASP check untuk API"
387
- Load SKILL Run OWASP Top 10 checklist
350
+ User: "test skill"
351
+ Run skill health check Show test results
388
352
 
389
- User: "scan subdomain ini: api.target.com"
390
- Load SKILL Run all tests Generate site/api.target.com-2025-07-05.md
353
+ User: "validate skill installation"
354
+ Verify all files exist Show skill status
391
355
  ```
392
356
 
393
357
  ---
@@ -395,5 +359,6 @@ User: "scan subdomain ini: api.target.com"
395
359
  ## ✅ SKILL READY
396
360
 
397
361
  **Status:** ACTIVE & READY FOR USE
398
- **Version:** 2.0
362
+ **Version:** 3.0
399
363
  **Author:** Rz (@soulofzephir)
364
+ **Last Updated:** 2025-07-05