Agent Skills Framework Extension

Penetration Testing Patterns Skill

When to Use This Skill

Use this skill when implementing penetration testing patterns patterns in your codebase.

How to Use This Skill

1. Review the patterns and examples below
2. Apply the relevant patterns to your implementation
3. Follow the best practices outlined in this skill

Automated and manual penetration testing for web applications, APIs, and network infrastructure with vulnerability exploitation and reporting.

Core Capabilities

1. Web App Testing - OWASP ZAP automated scanning
2. API Testing - REST/GraphQL security testing
3. Network Scanning - Port scanning and service enumeration
4. Exploitation - Automated vulnerability exploitation
5. Reporting - Security findings and remediation

OWASP ZAP Automated Scan

#!/usr/bin/env python3
"""
Automated web application penetration testing using OWASP ZAP.
"""

from zapv2 import ZAPv2
import time
import json

class WebAppPenTest:
    def __init__(self, target_url: str, zap_api_key: str = None):
        self.target = target_url
        self.zap = ZAPv2(apikey=zap_api_key, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})

    def run_full_scan(self):
        """Execute comprehensive ZAP scan."""
        print(f"🔍 Starting penetration test: {self.target}")

        # Spider the target
        print("📡 Spidering target...")
        scan_id = self.zap.spider.scan(self.target)
        while int(self.zap.spider.status(scan_id)) < 100:
            time.sleep(1)

        # Active scan
        print("🎯 Running active scan...")
        scan_id = self.zap.ascan.scan(self.target)
        while int(self.zap.ascan.status(scan_id)) < 100:
            print(f"  Progress: {self.zap.ascan.status(scan_id)}%")
            time.sleep(5)

        # Get alerts
        alerts = self.zap.core.alerts(baseurl=self.target)

        # Generate report
        report = self._generate_report(alerts)
        return report

    def _generate_report(self, alerts):
        """Generate penetration test report."""
        critical = [a for a in alerts if a['risk'] == 'High']
        high = [a for a in alerts if a['risk'] == 'Medium']
        medium = [a for a in alerts if a['risk'] == 'Low']

        report = {
            'target': self.target,
            'total_alerts': len(alerts),
            'critical': len(critical),
            'high': len(high),
            'medium': len(medium),
            'findings': alerts
        }

        with open('pentest-report.json', 'w') as f:
            json.dump(report, f, indent=2)

        print(f"\n📊 Penetration Test Summary:")
        print(f"   Total Findings: {len(alerts)}")
        print(f"   Critical: {len(critical)}")
        print(f"   High: {len(high)}")
        print(f"   Medium: {len(medium)}")

        return report

if __name__ == '__main__':
    import sys
    target = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:3000'

    tester = WebAppPenTest(target)
    tester.run_full_scan()

API Security Testing

#!/usr/bin/env bash
# api-security-test.sh - API penetration testing

set -euo pipefail

API_BASE_URL="$1"

echo "🔐 Testing API security: $API_BASE_URL"

# Test authentication
echo "Testing authentication..."
curl -X POST "$API_BASE_URL/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"password"}' \
  -v

# Test authorization bypass
echo "Testing authorization bypass..."
curl -X GET "$API_BASE_URL/admin/users" \
  -H "Authorization: Bearer invalid" \
  -v

# Test SQL injection
echo "Testing SQL injection..."
curl -X GET "$API_BASE_URL/users?id=1' OR '1'='1" -v

# Test XSS
echo "Testing XSS..."
curl -X POST "$API_BASE_URL/comments" \
  -H "Content-Type: application/json" \
  -d '{"text":"<script>alert(1)</script>"}' \
  -v

echo "✅ API security tests complete"

Usage Examples

Web Application Pen Test

Apply penetration-testing-patterns skill to execute OWASP ZAP automated scan against web application

API Security Assessment

Apply penetration-testing-patterns skill to test REST API for authentication, authorization, and injection vulnerabilities

Integration Points

• security-audit-patterns - Pre-test security audit
• security-scanning-patterns - Automated scanning
• compliance-validation - Security compliance validation

---

Success Output

When successful, this skill MUST output:

✅ SKILL COMPLETE: penetration-testing-patterns

Completed:
- [x] OWASP ZAP scan executed against target application
- [x] API security tests completed (authentication, authorization, injection)
- [x] Network scanning finished (port scan, service enumeration)
- [x] Vulnerability exploitation attempted (authorized scope only)
- [x] Security findings report generated with severity ratings

Outputs:
- pentest-report.json (ZAP findings with risk classifications)
- api-security-results.txt (authentication/authorization test results)
- vulnerability-summary.md (executive summary with remediation priorities)

Findings Summary:
- Critical: X findings
- High: X findings
- Medium: X findings
- Low: X findings
- Total Alerts: X

Top Vulnerabilities:
1. [Vulnerability Type] - [Affected Endpoint/Component]
2. [Vulnerability Type] - [Affected Endpoint/Component]

Completion Checklist

Before marking this skill as complete, verify:

• OWASP ZAP scan completed with 100% spider coverage
• Active scan finished (no hanging scans at partial completion)
• API authentication tests executed (valid/invalid credentials tested)
• Authorization bypass tests completed (role-based access verified)
• SQL injection tests performed on all input parameters
• XSS tests completed on all user input fields
• Security findings report generated and saved
• Critical vulnerabilities documented with reproduction steps
• Remediation recommendations included for each finding
• Client/stakeholder notified of critical findings (if applicable)

Failure Indicators

This skill has FAILED if:

• ❌ ZAP scan cannot connect to target (network/firewall issue)
• ❌ Spider coverage below 50% (incomplete application mapping)
• ❌ Active scan hangs or times out without completion
• ❌ API tests fail due to authentication configuration errors
• ❌ No findings report generated (JSON export failed)
• ❌ Testing performed against unauthorized targets (scope violation)
• ❌ Production systems impacted (denial of service caused)
• ❌ Tests performed without explicit authorization

When NOT to Use

Do NOT use this skill when:

• Testing production systems without explicit written authorization
• Scope of engagement not clearly defined in writing
• Target systems are third-party owned (no testing authorization)
• Time-sensitive production operations in progress (wait for maintenance window)
• Use security-audit-patterns for non-intrusive code review instead
• Use security-scanning-patterns for passive vulnerability scanning

Alternative skills for different security needs:

• security-audit-patterns - Code review and architecture security analysis
• compliance-validation - Regulatory compliance checking (OWASP, PCI-DSS)
• threat-modeling-patterns - Preventive threat analysis before testing

Anti-Patterns (Avoid)

Anti-Pattern	Problem	Solution
Testing without authorization	Legal liability, unauthorized access charges	Obtain written authorization before any testing
Using aggressive scan settings in production	Denial of service, system crashes	Use passive/safe mode or test in staging environment
Exploiting vulnerabilities beyond proof-of-concept	Ethical violation, potential data breach	Stop at vulnerability confirmation, document PoC only
Skipping authentication tests	Misses critical access control issues	Always test authentication bypass and broken access control
Not documenting reproduction steps	Findings cannot be verified/fixed	Include exact steps, payloads, and expected vs. actual results
Testing third-party integrations	Out of scope, legal issues	Limit testing to authorized systems only
Using default ZAP settings blindly	Missed vulnerabilities or false positives	Customize scan policies for application type (API vs. web app)
Ignoring false positive analysis	Wastes remediation time	Manually verify high/critical findings before reporting

Principles

This skill embodies CODITECT foundational principles:

#1 Recycle → Extend → Re-Use → Create

• Reuse OWASP ZAP for standardized web testing
• Extend existing security test scripts for API testing
• Leverage Great Expectations framework for validation patterns

#4 Separation of Concerns

• Web app testing (ZAP) separate from API testing (curl scripts)
• Automated scanning separate from manual exploitation
• Finding reporting separate from remediation recommendations

#5 Eliminate Ambiguity

• Clear severity classifications (Critical/High/Medium/Low)
• Explicit reproduction steps for each finding
• Documented scope boundaries (authorized targets only)

#8 No Assumptions

• Verify authorization before testing EVERY target
• Test with both valid and invalid credentials
• Confirm findings manually (don't trust scanner results blindly)

#11 Research When in Doubt

• Reference OWASP Top 10 for current vulnerability priorities
• Check CVE databases for known vulnerabilities in detected services
• Consult vendor security advisories for identified technologies

Full Principles: CODITECT-STANDARD-AUTOMATION.md

---

Version: 1.1.0 | Updated: 2026-01-04 | Author: CODITECT Team