name: web-assessment
description: "Web security assessment with vulnerability scanning, penetration testing methodology, and professional reporting."
triggers:
- web assessment
- pentest
- security testing
- vulnerability scan
- security audit

Web Assessment Skill

Professional web security assessment following OWASP methodology.

Scope

• Vulnerability scanning and identification
• Authentication and authorization testing
• Input validation testing (XSS, SQLi, etc.)
• Configuration review
• API security testing

Process

1. Reconnaissance — Map the attack surface (endpoints, parameters, auth flows)
2. Scanning — Automated vulnerability detection
3. Testing — Manual verification of findings
4. Exploitation — Proof-of-concept for confirmed vulnerabilities
5. Reporting — Professional report with severity ratings and remediation

Requirements

• Explicit authorization from the target owner
• Defined scope (URLs, endpoints, methods)
• Clear rules of engagement

OWASP Top 10 Testing Checklist

Work through each category systematically:

Tool Commands

# Subdomain enumeration
subfinder -d target.com -o subdomains.txt
amass enum -d target.com

# Port and service scanning
nmap -sV -sC -oA nmap_output target.com

# Web crawler and endpoint discovery
katana -u https://target.com -o endpoints.txt
gau target.com | tee urls.txt

# Vulnerability scanning
nikto -h https://target.com -o nikto_report.txt
nuclei -u https://target.com -t cves/ -t exposures/

# Parameter discovery
arjun -u https://target.com/api/endpoint

# Directory brute force
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://target.com/FUZZ

# SSL/TLS analysis
testssl.sh https://target.com

# SQLi testing
sqlmap -u "https://target.com/page?id=1" --dbs --batch

# XSS testing
dalfox url "https://target.com/page?q=test"

Manual Testing Patterns

Authentication Testing

• Try default credentials: admin/admin, admin/password, test/test
• Attempt username enumeration via response timing differences
• Test password reset flows for token predictability
• Check "remember me" cookie entropy and expiration

Authorization Testing

• Access resources as User A using User B's IDs (IDOR)
• Attempt horizontal and vertical privilege escalation
• Test API endpoints without authentication headers
• Manipulate role/permission values in JWT payloads

Input Validation

# XSS payloads to try
<script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)

# SQLi detection
' OR '1'='1
1; DROP TABLE users--
1 UNION SELECT null,null,null--

# SSTI detection
{{7*7}}  ${7*7}  #{7*7}

CVSS Scoring Quick Reference

Report Template

# Security Assessment Report — [Target]

**Date:** [Date]
**Scope:** [URLs and endpoints tested]
**Authorization:** [Document confirming permission]

## Executive Summary
[2-3 paragraphs for non-technical leadership]

## Findings

### [FINDING-001] — [Title] — CRITICAL/HIGH/MEDIUM/LOW
- **CVSS Score:** X.X
- **Description:** What the vulnerability is
- **Evidence:** Request/response showing the issue
- **Impact:** What an attacker can achieve
- **Remediation:** Specific fix with code example
- **References:** CVE, CWE, OWASP link

## Remediation Summary
| Finding | Severity | Status | Owner |
|---------|----------|--------|-------|

## Retesting Notes
[Guidance for confirming fixes]

Red Flags / Warnings

• Never test without written authorization — unauthorized testing is illegal
• Do not run denial-of-service or destructive tests without explicit approval
• Avoid storing sensitive data discovered during testing
• Cease testing immediately if you encounter evidence of prior compromise
• Document all actions with timestamps for legal defensibility

Output: Professional security assessment report with CVSS scores and remediation guidance.