Back to Details

security-pen-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Penetration Testing

安全渗透测试

Hands-on offensive security testing skill for finding vulnerabilities before attackers do. This is NOT compliance checking (see senior-secops) or security policy writing (see senior-security) — this is about systematic vulnerability discovery through authorized testing.
这是一项实操性的攻击性安全测试技能,用于在攻击者之前发现漏洞。这不是合规检查(请参考senior-secops)或安全政策编写(请参考senior-security)——而是通过授权测试进行系统性的漏洞发现。

Table of Contents

目录

Overview

概述

What This Skill Does

本技能的作用

This skill provides the methodology, checklists, and automation for offensive security testing — actively probing systems to discover exploitable vulnerabilities. It covers web applications, APIs, infrastructure, and supply chain security.
本技能提供攻击性安全测试的方法论、检查清单和自动化工具——主动探测系统以发现可被利用的漏洞。涵盖Web应用、API、基础设施和供应链安全。

Distinction from Other Security Skills

与其他安全技能的区别

SkillFocusApproach
security-pen-testing (this)Finding vulnerabilitiesOffensive — simulate attacker techniques
senior-secopsSecurity operationsDefensive — monitoring, incident response, SIEM
senior-securitySecurity policyGovernance — policies, frameworks, risk registers
skill-security-auditorCI/CD gatesAutomated — pre-merge security checks
技能重点方法
security-pen-testing(本技能)发现漏洞攻击性——模拟攻击者技术
senior-secops安全运维防御性——监控、事件响应、SIEM
senior-security安全政策治理——政策、框架、风险登记册
skill-security-auditorCI/CD 门禁自动化——合并前安全检查

Prerequisites

前提条件

All testing described here assumes written authorization from the system owner. Unauthorized testing is illegal under the CFAA and equivalent laws worldwide. Always obtain a signed scope-of-work or rules-of-engagement document before starting.
此处描述的所有测试均假设已获得系统所有者的书面授权。未经授权的测试在美国《计算机欺诈和滥用法案》(CFAA)及全球等效法律下属于违法行为。开始测试前务必获取签署的工作范围或参与规则文档。

OWASP Top 10 Systematic Audit

OWASP Top 10 系统性审计

Use the vulnerability scanner tool for automated checklist generation:
bash
undefined
使用漏洞扫描工具生成自动化检查清单:
bash
undefined

Generate OWASP checklist for a web application

为Web应用生成OWASP检查清单

python scripts/vulnerability_scanner.py --target web --scope full
python scripts/vulnerability_scanner.py --target web --scope full

Quick API-focused scan

快速针对API的扫描

python scripts/vulnerability_scanner.py --target api --scope quick --json
undefined
python scripts/vulnerability_scanner.py --target api --scope quick --json
undefined

Quick Reference

快速参考

#CategoryKey Tests
A01Broken Access ControlIDOR, vertical escalation, CORS, JWT claim manipulation, forced browsing
A02Cryptographic FailuresTLS version, password hashing, hardcoded keys, weak PRNG
A03InjectionSQLi, NoSQLi, command injection, template injection, XSS
A04Insecure DesignRate limiting, business logic abuse, multi-step flow bypass
A05Security MisconfigurationDefault credentials, debug mode, security headers, directory listing
A06Vulnerable ComponentsDependency audit (npm/pip/go), EOL checks, known CVEs
A07Auth FailuresBrute force, session cookie flags, session invalidation, MFA bypass
A08Integrity FailuresUnsafe deserialization, SRI checks, CI/CD pipeline integrity
A09Logging FailuresAuth event logging, sensitive data in logs, alerting thresholds
A10SSRFInternal IP access, cloud metadata endpoints, DNS rebinding
bash
undefined
#类别关键测试项
A01访问控制失效IDOR、垂直权限提升、CORS、JWT声明篡改、强制浏览
A02加密失败TLS版本、密码哈希、硬编码密钥、弱伪随机数生成器(PRNG)
A03注入SQLi、NoSQLi、命令注入、模板注入、XSS
A04不安全设计速率限制、业务逻辑滥用、多步骤流程绕过
A05安全配置错误默认凭据、调试模式、安全标头、目录列表
A06易受攻击的组件依赖项审计(npm/pip/go)、终止支持(EOL)检查、已知CVE
A07认证失败暴力破解、会话Cookie标记、会话失效、MFA绕过
A08完整性失败不安全反序列化、SRI检查、CI/CD流水线完整性
A09日志记录失败认证事件日志、日志中的敏感数据、告警阈值
A10SSRF内部IP访问、云元数据端点、DNS重绑定
bash
undefined

Audit dependencies

审计依赖项

python scripts/dependency_auditor.py --file package.json --severity high python scripts/dependency_auditor.py --file requirements.txt --json

See [owasp_top_10_checklist.md](references/owasp_top_10_checklist.md) for detailed test procedures, code patterns to detect, remediation steps, and CVSS scoring guidance for each category.

---
python scripts/dependency_auditor.py --file package.json --severity high python scripts/dependency_auditor.py --file requirements.txt --json

详细测试流程、需检测的代码模式、修复步骤及每个类别的CVSS评分指南,请参考[owasp_top_10_checklist.md](references/owasp_top_10_checklist.md)。

---

Static Analysis

静态分析

Recommended tools: CodeQL (custom queries for project-specific patterns), Semgrep (rule-based scanning with auto-fix), ESLint security plugins (
eslint-plugin-security
, 
eslint-plugin-no-unsanitized
).
Key patterns to detect: SQL injection via string concatenation, hardcoded JWT secrets, unsafe YAML/pickle deserialization, missing security middleware (e.g., Express without Helmet).
See attack_patterns.md for code patterns and detection payloads across injection types.
推荐工具: CodeQL(针对项目特定模式的自定义查询)、Semgrep(带自动修复的规则扫描)、ESLint安全插件(
eslint-plugin-security
, 
eslint-plugin-no-unsanitized
)。
需检测的关键模式:通过字符串拼接实现的SQL注入、硬编码JWT密钥、不安全的YAML/pickle反序列化、缺失安全中间件(如未使用Helmet的Express)。
各类注入类型的代码模式和检测负载,请参考attack_patterns.md

Dependency Vulnerability Scanning

依赖项漏洞扫描

Ecosystem commands: 
npm audit
, 
pip audit
, 
govulncheck ./...
, 
bundle audit check
CVE Triage Workflow:
  1. Collect — Run ecosystem audit tools, aggregate findings
  2. Deduplicate — Group by CVE ID across direct and transitive deps
  3. Prioritize — Critical + exploitable + reachable = fix immediately
  4. Remediate — Upgrade, patch, or mitigate with compensating controls
  5. Verify — Rerun audit to confirm fix, update lock files
bash
python scripts/dependency_auditor.py --file package.json --severity critical --json
生态系统命令: 
npm audit
, 
pip audit
, 
govulncheck ./...
, 
bundle audit check
CVE分类处理流程:
  1. 收集——运行生态系统审计工具,汇总发现结果
  2. 去重——按CVE ID对直接和间接依赖项分组
  3. 优先级排序——严重+可利用+可触及=立即修复
  4. 修复——升级、打补丁或用补偿性控制措施缓解
  5. 验证——重新运行审计确认修复,更新锁定文件
bash
python scripts/dependency_auditor.py --file package.json --severity critical --json

Secret Scanning

密钥扫描

Tools: TruffleHog (git history + filesystem), Gitleaks (regex-based with custom rules).
bash
undefined
工具: TruffleHog(Git历史+文件系统)、Gitleaks(基于正则的自定义规则扫描)。
bash
undefined

Scan git history for verified secrets

扫描Git历史中的已验证密钥

trufflehog git file://. --only-verified --json
trufflehog git file://. --only-verified --json

Scan filesystem

扫描文件系统

trufflehog filesystem . --json

**Integration points:** Pre-commit hooks (gitleaks, trufflehog), CI/CD gates (GitHub Actions with `trufflesecurity/trufflehog@main`). Configure `.gitleaks.toml` for custom rules (AWS keys, API keys, private key headers) and allowlists for test fixtures.

---
trufflehog filesystem . --json

**集成点:** 提交前钩子(gitleaks, trufflehog)、CI/CD门禁(GitHub Actions使用`trufflesecurity/trufflehog@main`)。配置`.gitleaks.toml`自定义规则(AWS密钥、API密钥、私钥头),并为测试夹具设置允许列表。

---

API Security Testing

API安全测试

Authentication Bypass

认证绕过

  • JWT manipulation: Change 
    alg
    to 
    none
    , RS256-to-HS256 confusion, claim modification (
    role: "admin"
    , 
    exp: 9999999999
    )
  • Session fixation: Check if session ID changes after authentication
  • JWT篡改:
    alg
    改为
    none
    、RS256转HS256混淆、声明修改(
    role: "admin"
    , 
    exp: 9999999999
    )
  • 会话固定: 检查认证后会话ID是否变更

Authorization Flaws

授权缺陷

  • IDOR/BOLA: Change resource IDs in every endpoint — test read, update, delete across users
  • BFLA: Regular user tries admin endpoints (expect 403)
  • Mass assignment: Add privileged fields (
    role
    , 
    is_admin
    ) to update requests
  • IDOR/BOLA: 修改每个端点的资源ID——测试跨用户的读取、更新、删除操作
  • BFLA: 普通用户尝试访问管理员端点(预期返回403)
  • 批量赋值: 在更新请求中添加特权字段(
    role
    , 
    is_admin
    )

Rate Limiting & GraphQL

速率限制与GraphQL

  • Rate limiting: Rapid-fire requests to auth endpoints; expect 429 after threshold
  • GraphQL: Test introspection (should be disabled in prod), query depth attacks, batch mutations bypassing rate limits
See attack_patterns.md for complete JWT manipulation payloads, IDOR testing methodology, BFLA endpoint lists, GraphQL introspection/depth/batch attack patterns, and rate limiting bypass techniques.
  • 速率限制: 向认证端点快速发送请求;达到阈值后预期返回429
  • GraphQL: 测试自省(生产环境应禁用)、查询深度攻击、绕过速率限制的批量突变
完整的JWT篡改负载、IDOR测试方法论、BFLA端点列表、GraphQL自省/深度/批量攻击模式及速率限制绕过技术,请参考attack_patterns.md

Web Vulnerability Testing

Web漏洞测试

VulnerabilityKey Tests
XSSReflected (script/img/svg payloads), Stored (persistent fields), DOM-based (innerHTML + location.hash)
CSRFReplay without token (expect 403), cross-session token replay, check SameSite cookie attribute
SQL InjectionError-based (
' OR 1=1--
), union-based enumeration, time-based blind (
SLEEP(5)
), boolean-based blind
SSRFInternal IPs, cloud metadata endpoints (AWS/GCP/Azure), IPv6/hex/decimal encoding bypasses
Path Traversal
../../../etc/passwd
, URL encoding, double encoding bypasses
See attack_patterns.md for complete test payloads (XSS filter bypasses, context-specific XSS, SQL injection per database engine, SSRF bypass techniques, and DOM-based XSS source/sink pairs).
漏洞类型关键测试项
XSS反射型(脚本/img/svg负载)、存储型(持久化字段)、DOM型(innerHTML + location.hash)
CSRF无令牌重放(预期返回403)、跨会话令牌重放、检查SameSite Cookie属性
SQL注入基于错误(
' OR 1=1--
)、基于联合的枚举、基于时间的盲注(
SLEEP(5)
)、基于布尔的盲注
SSRF内部IP、云元数据端点(AWS/GCP/Azure)、IPv6/十六进制/十进制编码绕过
路径遍历
../../../etc/passwd
、URL编码、双重编码绕过
完整的测试负载(XSS过滤器绕过、特定上下文XSS、各数据库引擎的SQL注入、SSRF绕过技术、DOM型XSS源/汇对),请参考attack_patterns.md

Infrastructure Security

基础设施安全

Key checks:
  • Cloud storage: S3 bucket public access (
    aws s3 ls s3://bucket --no-sign-request
    ), bucket policies, ACLs
  • HTTP security headers: HSTS, CSP (no 
    unsafe-inline
    /
    unsafe-eval
    ), X-Content-Type-Options, X-Frame-Options, Referrer-Policy
  • TLS configuration: 
    nmap --script ssl-enum-ciphers -p 443 target.com
    or 
    testssl.sh
    — reject TLS 1.0/1.1, RC4, 3DES, export-grade ciphers
  • Port scanning: 
    nmap -sV target.com
    — flag dangerous open ports (FTP/21, Telnet/23, Redis/6379, MongoDB/27017)
关键检查项:
  • 云存储: S3桶公共访问(
    aws s3 ls s3://bucket --no-sign-request
    )、桶策略、ACL
  • HTTP安全标头: HSTS、CSP(禁用
    unsafe-inline
    /
    unsafe-eval
    )、X-Content-Type-Options、X-Frame-Options、Referrer-Policy
  • TLS配置: 
    nmap --script ssl-enum-ciphers -p 443 target.com
    testssl.sh
    ——拒绝TLS 1.0/1.1、RC4、3DES、出口级加密套件
  • 端口扫描: 
    nmap -sV target.com
    ——标记危险开放端口(FTP/21、Telnet/23、Redis/6379、MongoDB/27017)

Pen Test Report Generation

渗透测试报告生成

Generate professional reports from structured findings:
bash
undefined
从结构化发现结果生成专业报告:
bash
undefined

Generate markdown report from findings JSON

从发现结果JSON生成Markdown报告

python scripts/pentest_report_generator.py --findings findings.json --format md --output report.md
python scripts/pentest_report_generator.py --findings findings.json --format md --output report.md

Generate JSON report

生成JSON报告

python scripts/pentest_report_generator.py --findings findings.json --format json --output report.json
undefined
python scripts/pentest_report_generator.py --findings findings.json --format json --output report.json
undefined

Findings JSON Format

发现结果JSON格式

json
[
  {
    "title": "SQL Injection in Login Endpoint",
    "severity": "critical",
    "cvss_score": 9.8,
    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "category": "A03:2021 - Injection",
    "description": "The /api/login endpoint is vulnerable to SQL injection via the email parameter.",
    "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",
    "impact": "Full database access, authentication bypass, potential remote code execution",
    "remediation": "Use parameterized queries. Replace string concatenation with prepared statements.",
    "references": ["https://cwe.mitre.org/data/definitions/89.html"]
  }
]
json
[
  {
    "title": "SQL Injection in Login Endpoint",
    "severity": "critical",
    "cvss_score": 9.8,
    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "category": "A03:2021 - Injection",
    "description": "The /api/login endpoint is vulnerable to SQL injection via the email parameter.",
    "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",
    "impact": "Full database access, authentication bypass, potential remote code execution",
    "remediation": "Use parameterized queries. Replace string concatenation with prepared statements.",
    "references": ["https://cwe.mitre.org/data/definitions/89.html"]
  }
]

Report Structure

报告结构

  1. Executive Summary: Business impact, overall risk level, top 3 findings
  2. Scope: What was tested, what was excluded, testing dates
  3. Methodology: Tools used, testing approach (black/gray/white box)
  4. Findings Table: Sorted by severity with CVSS scores
  5. Detailed Findings: Each with description, evidence, impact, remediation
  6. Remediation Priority Matrix: Effort vs. impact for each fix
  7. Appendix: Raw tool output, full payload lists
  1. 执行摘要:业务影响、整体风险等级、Top 3发现结果
  2. 范围:测试内容、排除内容、测试日期
  3. 方法论:使用的工具、测试方法(黑盒/灰盒/白盒)
  4. 发现结果表格:按严重程度排序,包含CVSS评分
  5. 详细发现结果:每个结果包含描述、证据、影响、修复建议
  6. 修复优先级矩阵:每个修复的工作量与影响对比
  7. 附录:原始工具输出、完整负载列表

Responsible Disclosure Workflow

负责任披露流程

Responsible disclosure is mandatory for any vulnerability found during authorized testing. Standard timeline: report on day 1, follow up at day 7, status update at day 30, public disclosure at day 90.
Key principles: Never exploit beyond proof of concept, encrypt all communications, do not access real user data, document everything with timestamps.
See responsible_disclosure.md for full disclosure timelines (standard 90-day, accelerated 30-day, extended 120-day), communication templates, legal considerations, bug bounty program integration, and CVE request process.
在授权测试中发现的任何漏洞,必须进行负责任披露。标准时间线:第1天报告,第7天跟进,第30天状态更新,第90天公开披露。
核心原则: 绝不超出概念验证范围进行利用、所有通信加密、不访问真实用户数据、用时间戳记录所有内容。
完整的披露时间线(标准90天、加速30天、延长120天)、沟通模板、法律注意事项、漏洞赏金计划集成及CVE申请流程,请参考responsible_disclosure.md

Workflows

工作流程

Workflow 1: Quick Security Check (15 Minutes)

工作流程1:快速安全检查(15分钟)

For pre-merge reviews or quick health checks:
bash
undefined
用于合并前评审或快速健康检查:
bash
undefined

1. Generate OWASP checklist

1. 生成OWASP检查清单

python scripts/vulnerability_scanner.py --target web --scope quick
python scripts/vulnerability_scanner.py --target web --scope quick

2. Scan dependencies

2. 扫描依赖项

python scripts/dependency_auditor.py --file package.json --severity high
python scripts/dependency_auditor.py --file package.json --severity high

3. Check for secrets in recent commits

3. 检查最近提交中的密钥

(Use gitleaks or trufflehog as described in Secret Scanning section)

4. Review HTTP security headers

curl -sI https://target.com | grep -iE "(strict-transport|content-security|x-frame|x-content-type)"

**Decision**: If any critical or high findings, block the merge.
#(如密钥扫描章节所述,使用gitleaks或trufflehog)

Workflow 2: Full Penetration Test (Multi-Day Assessment)

4. 检查HTTP安全标头

Day 1 — Reconnaissance:
  1. Map the attack surface: endpoints, authentication flows, third-party integrations
  2. Run automated OWASP checklist (full scope)
  3. Run dependency audit across all manifests
  4. Run secret scan on full git history
Day 2 — Manual Testing:
  1. Test authentication and authorization (IDOR, BOLA, BFLA)
  2. Test injection points (SQLi, XSS, SSRF, command injection)
  3. Test business logic flaws
  4. Test API-specific vulnerabilities (GraphQL, rate limiting, mass assignment)
Day 3 — Infrastructure and Reporting:
  1. Check cloud storage permissions
  2. Verify TLS configuration and security headers
  3. Port scan for unnecessary services
  4. Compile findings into structured JSON
  5. Generate pen test report
bash
undefined
curl -sI https://target.com | grep -iE "(strict-transport|content-security|x-frame|x-content-type)"

**决策**:若存在严重或高危发现结果,阻止合并。

Generate final report

工作流程2:完整渗透测试(多日评估)

python scripts/pentest_report_generator.py --findings findings.json --format md --output pentest-report.md
undefined
第1天——侦察:
  1. 绘制攻击面:端点、认证流程、第三方集成
  2. 运行全范围自动化OWASP检查清单
  3. 对所有清单文件运行依赖项审计
  4. 对完整Git历史运行密钥扫描
第2天——手动测试:
  1. 测试认证与授权(IDOR、BOLA、BFLA)
  2. 测试注入点(SQLi、XSS、SSRF、命令注入)
  3. 测试业务逻辑缺陷
  4. 测试API特定漏洞(GraphQL、速率限制、批量赋值)
第3天——基础设施与报告:
  1. 检查云存储权限
  2. 验证TLS配置与安全标头
  3. 扫描不必要的服务端口
  4. 将发现结果整理为结构化JSON
  5. 生成渗透测试报告
bash
undefined

Workflow 3: CI/CD Security Gate

生成最终报告

Automated security checks on every PR: secret scanning (TruffleHog), dependency audit (
npm audit
, 
pip audit
), SAST (Semgrep with 
p/security-audit
, 
p/owasp-top-ten
), and security headers check on staging.
Gate Policy: Block merge on critical/high findings. Warn on medium. Log low/info.
python scripts/pentest_report_generator.py --findings findings.json --format md --output pentest-report.md
undefined

Anti-Patterns

工作流程3:CI/CD安全门禁

  1. Testing in production without authorization — Always get written permission and use staging/test environments when possible
  2. Ignoring low-severity findings — Low findings compound; a chain of lows can become a critical exploit path
  3. Skipping responsible disclosure — Every vulnerability found must be reported through proper channels
  4. Relying solely on automated tools — Tools miss business logic flaws, chained exploits, and novel attack vectors
  5. Testing without a defined scope — Scope creep leads to legal liability; document what is and isn't in scope
  6. Reporting without remediation guidance — Every finding must include actionable remediation steps
  7. Storing evidence insecurely — Pen test evidence (screenshots, payloads, tokens) is sensitive; encrypt and restrict access
  8. One-time testing — Security testing must be continuous; integrate into CI/CD and schedule periodic assessments
对每个PR执行自动化安全检查:密钥扫描(TruffleHog)、依赖项审计(
npm audit
, 
pip audit
)、静态应用安全测试(SAST,使用
p/security-audit
p/owasp-top-ten
规则的Semgrep)、以及 staging环境的安全标头检查。
门禁政策:严重/高危发现结果阻止合并,中危发出警告,低危/信息级记录日志。

Cross-References

反模式

SkillRelationship
senior-secopsDefensive security operations — monitoring, incident response, SIEM configuration
senior-securitySecurity policy and governance — frameworks, risk registers, compliance
dependency-auditorDeep supply chain security — SBOMs, license compliance, transitive risk
code-reviewerCode review practices — includes security review checklist
  1. 未经授权在生产环境测试——务必获取书面许可,尽可能使用 staging/测试环境
  2. 忽略低严重程度发现结果——低危漏洞会叠加;多个低危漏洞可能形成高危攻击路径
  3. 跳过负责任披露——发现的每个漏洞都必须通过正规渠道报告
  4. 仅依赖自动化工具——工具会遗漏业务逻辑缺陷、链式漏洞利用和新型攻击向量
  5. 无明确范围测试——范围蔓延会导致法律责任;记录包含和排除的测试内容
  6. 报告无修复指导——每个发现结果必须包含可执行的修复步骤
  7. 不安全存储证据——渗透测试证据(截图、负载、令牌)属于敏感信息;需加密并限制访问
  8. 一次性测试——安全测试必须持续进行;集成到CI/CD并定期安排评估

交叉引用

技能关系
senior-secops防御性安全运维——监控、事件响应、SIEM配置
senior-security安全政策与治理——框架、风险登记册、合规性
dependency-auditor深度供应链安全——SBOM、许可证合规、间接依赖风险
code-reviewer代码评审实践——包含安全评审检查清单