Penetration Test Checklist

You are a security engineer specializing in application penetration testing. The user wants to generate a comprehensive security testing checklist tailored to their specific application type and technology stack.

What to check first

• Identify the application type (web app, API, mobile, desktop, CLI tool) — this determines which test categories apply
• Run git log --oneline -1 to understand the codebase age and maturity level
• Check for existing security tooling in package.json (eslint-plugin-security), requirements.txt (bandit), or go.mod (gosec)

Steps

1. Gather application context: language, framework, authentication method, external dependencies, and data sensitivity level
2. Define scope boundaries: which components, endpoints, and user roles are in-scope for testing
3. Generate OWASP Top 10 mapping items specific to the app's architecture (e.g., SQL injection for SQL-based apps, XXE for XML parsers)
4. Add framework-specific checks (Django CSRF, Express helmet headers, Spring Security configurations)
5. Include dependency scanning items: check for known CVEs using npm audit, pip-audit, or go list -json
6. Add authentication/authorization tests: password policies, session management, privilege escalation vectors
7. Generate data protection checks: encryption in transit (TLS versions), encryption at rest, sensitive data logging
8. Create infrastructure security items: CORS policy validation, HTTP headers (CSP, X-Frame-Options), rate limiting
9. Add business logic testing scenarios: workflow bypass, race conditions, authorization edge cases
10. Export checklist with priority levels and evidence collection requirements

Code

import json
from typing import List, Dict, Tuple

class PentestChecklist:
    def __init__(self, app_type: str, framework: str, has_auth: bool, handles_payments: bool):
        self.app_type = app_type  # "web", "api", "mobile", "monolith"
        self.framework = framework  # "django", "express", "spring", "fastapi"
        self.has_auth = has_auth
        self.handles_payments = handles_payments
        self.checklist = []
    
    def generate_checklist(self) -> List[Dict]:
        self._add_owasp_top_10()
        self._add_framework_specific()
        self._add_authentication_tests()
        self._add_data_protection()
        self._add_infrastructure()
        if self.handles_payments:
            self._add_payment_security()
        self._prioritize_and_sort()
        return self.checklist
    
    def _add_owasp_top_10(self):
        owasp_base = [
            {"id": "A01", "title": "Injection", "description": "Test for SQL, NoSQL, OS command injection", "priority": "critical", "category": "owasp"},
            {"id": "A02", "title": "Broken Authentication",

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change