pentest-client-advanced
Pentest Client Advanced
Purpose
Test advanced client-side attack surfaces beyond XSS. Six WSTG-CLNT items remain unchecked in Shannon's pipeline — these are distinct attack classes requiring different methodology than taint analysis.
Prerequisites
Authorization Requirements
- Written authorization with client-side testing scope
- Test domains for hosting PoC HTML pages (attacker-controlled origin)
- Browser testing environment with DevTools access
- Target user simulation — ability to test cross-origin interactions
Environment Setup
- Modern browser with DevTools (Chrome/Firefox)
- Burp Suite for intercepting WebSocket and cross-origin traffic
- Local HTTP server for hosting PoC pages (python -m http.server)
- Playwright for automated browser-based attack verification
Core Workflow
- CORS Misconfiguration: Test reflected Origin in ACAO header, null origin bypass, subdomain wildcard abuse, credential leakage via cross-origin requests (WSTG-CLNT-07).
- WebSocket Security: Missing auth on WS upgrade, CSWSH (Cross-Site WebSocket Hijacking), injection through WS messages, missing origin validation (WSTG-CLNT-10).
- Clickjacking: Missing X-Frame-Options / CSP frame-ancestors, UI redressing, drag-and-drop hijacking, multi-step clickjacking chains (WSTG-CLNT-09).
- postMessage Abuse: Missing origin validation in message handlers, DOM manipulation via cross-origin messages, prototype pollution through postMessage (WSTG-CLNT-11).
- CSS Injection: Data exfiltration via CSS attribute selectors + background-image, CSS-based keylogging, style injection for UI manipulation (WSTG-CLNT-05).
- Client-Side Storage: Sensitive data in localStorage/sessionStorage, IndexedDB exposure, service worker cache poisoning (WSTG-CLNT-06).
- PoC Construction: Build HTML pages demonstrating each attack with real impact.
WSTG Coverage
| WSTG ID | Test Name | Status |
|---|---|---|
| WSTG-CLNT-05 | CSS Injection | ✅ |
| WSTG-CLNT-06 | Client-Side Resource Manipulation | ✅ |
| WSTG-CLNT-07 | Cross-Origin Resource Sharing | ✅ |
| WSTG-CLNT-09 | Clickjacking | ✅ |
| WSTG-CLNT-10 | WebSocket Testing | ✅ |
| WSTG-CLNT-11 | Web Messaging | ✅ |
Tool Categories
| Category | Tools | Purpose |
|---|---|---|
| CORS Testing | CORScanner, curl, custom PoC pages | CORS misconfiguration detection |
| WebSocket | websocket-client (Python), Burp WS | WebSocket hijacking and injection |
| Clickjacking | custom HTML iframes, Playwright | UI redressing PoC construction |
| Browser Automation | Playwright, Puppeteer | Automated client-side attack verification |
| Storage Analysis | Browser DevTools, custom JS | localStorage/IndexedDB inspection |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
More from jd-opensource/joysafeter
pentest-osint-recon
Open Source Intelligence gathering and attack surface management for external reconnaissance.
85pentest-mobile-app
OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.
56pentest-api-deep
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
55pentest-exploit-validation
Proof-driven exploitation with 4-level evidence system, bypass exhaustion protocol, mandatory evidence checklists, and strict EXPLOITED/POTENTIAL/FALSE_POSITIVE classification.
53pentest-ai-llm-security
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
50pentest-secrets-exposure
Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
50