pentest-config-hardening
SKILL.md
Pentest Config Hardening
Purpose
Shannon checks only 2 of 14 WSTG-CONF items. The remaining 12 are "low-hanging fruit" findings expected in every professional pentest report — straightforward to test systematically.
Prerequisites
Authorization Requirements
- Written authorization with infrastructure testing scope
- Target URL list for all web-facing endpoints
- CDN/WAF awareness — some headers may be set by infrastructure, not application
Environment Setup
- testssl.sh for comprehensive TLS analysis
- nmap with ssl-enum-ciphers script
- curl for manual header inspection
- nuclei with misconfig templates
Core Workflow
- HTTP Security Headers: Audit HSTS (+ preload), CSP policy analysis, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, CORP/COEP/COOP (WSTG-CONF-07/14).
- TLS Configuration: Protocol versions (TLS 1.0/1.1 deprecation), cipher suite strength, certificate validity, HSTS preload status, certificate transparency.
- HTTP Method Handling: OPTIONS enumeration, PUT/DELETE on static resources, TRACE for XST, method override headers (WSTG-CONF-06).
- Infrastructure Exposure: Admin interfaces (WSTG-CONF-05), default credentials on management consoles, exposed monitoring endpoints (/metrics, /health, /debug).
- Cloud Storage Misconfig: Public S3 buckets, Azure blob containers, GCP storage referenced in app code or responses (WSTG-CONF-11).
- CSP Bypass Analysis: unsafe-inline, unsafe-eval, overly broad source lists, JSONP on allowed domains, missing base-uri (WSTG-CONF-12).
- Cookie Security: Secure flag, HttpOnly flag, SameSite attribute, cookie scope, session cookie entropy.
WSTG Coverage
| WSTG ID | Test Name | Status |
|---|---|---|
| WSTG-CONF-02 | Test Application Platform Configuration | ✅ |
| WSTG-CONF-03 | Test File Extensions Handling | ✅ |
| WSTG-CONF-04 | Review Old Backup and Unreferenced Files | ✅ |
| WSTG-CONF-05 | Enumerate Infrastructure and Admin Interfaces | ✅ |
| WSTG-CONF-06 | Test HTTP Methods | ✅ |
| WSTG-CONF-07 | Test HTTP Strict Transport Security | ✅ |
| WSTG-CONF-08 | Test RIA Cross Domain Policy | ✅ |
| WSTG-CONF-09 | Test File Permission | ✅ |
| WSTG-CONF-11 | Test Cloud Storage | ✅ |
| WSTG-CONF-12 | Test Content Security Policy | ✅ |
| WSTG-CONF-13 | Test for Subdomain Takeover | ✅ |
| WSTG-CONF-14 | Test Security Headers | ✅ |
Tool Categories
| Category | Tools | Purpose |
|---|---|---|
| TLS Testing | testssl.sh, nmap ssl-enum-ciphers | Protocol and cipher analysis |
| Header Audit | SecurityHeaders.com API, Mozilla Observatory | Security header grading |
| Method Testing | curl, nmap http-methods | HTTP method enumeration |
| CSP Analysis | CSP Evaluator, custom scripts | CSP bypass assessment |
| Cloud Storage | S3Scanner, cloud_enum | Public bucket detection |
| Subdomain | subjack, can-i-take-over-xyz | Subdomain takeover detection |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
Weekly Installs
28
Repository
jd-opensource/joysafeterGitHub Stars
182
First Seen
Feb 18, 2026
Security Audits
Installed on
github-copilot28
codex28
kimi-cli28
gemini-cli28
amp28
cursor28