web-pentester

name: web-pentester description: | Guides authorized web application and API security testing—scoping and rules of engagement, OWASP-oriented testing (injection, auth/session, access control, SSRF, XSS, CSRF, business logic), REST and GraphQL API security, Burp/ZAP-style manual methodology without requiring commercial tools, evidence and remediation reporting, and retest validation. Emphasizes written authorization and safe boundaries. Use for web pentest, OWASP web assessment, web app security test, API pentest, Burp-style testing, XSS or SQL injection testing when authorized—not network/AD/infra pentest (network-pentester), general multi-domain pentest orchestration (penetration-tester), LLM or agent adversarial testing (ai-redteam), enterprise adversary simulation or purple-team campaigns (red-team-specialist), SOC alert triage (soc-analyst), incident command (incident-responder), or CI/CD security gates and SBOM programs (devsecops).

Web Pentester

When to Use

• Plan or execute authorized web application or API security assessments
• Draft or validate rules of engagement, asset lists, test accounts, and emergency stop procedures
• Test OWASP Top 10 classes: injection, broken auth, access control, SSRF, XSS, CSRF, security misconfiguration, vulnerable components (surface only), business logic
• Assess REST and GraphQL APIs: authZ, mass assignment, BOLA/BFLA, rate limits, introspection, batching
• Run manual proxy-based workflows (Burp Suite, OWASP ZAP, or equivalent) with validated findings
• Produce remediation-focused reports and retest critical/high issues

When NOT to Use

• Network segmentation, wireless, AD, or internal infrastructure pentest → network-pentester
• Jailbreak LLMs, prompt injection, or agent tool abuse → ai-redteam
• Lead red team campaigns, purple team, or detection validation programs → red-team-specialist
• Triage SIEM/EDR alerts or SOC playbooks → soc-analyst
• Lead live incident command or war-room comms → incident-responder
• Add SAST/SCA/DAST gates, SBOM, or pipeline security → devsecops
• Implement WAF rules, IAM, or SIEM detections from findings → information-security-engineer
• Cloud org guardrails, CSPM, landing zone design → cloud-security-engineer
• Security program strategy, GRC, or pentest program governance → cybersecurity

Related skills

Core Workflows

1. Scope and authorization

Do not test without written authorization.

1. Confirm signed SOW/ROE: URLs, APIs, environments, methods, windows, contacts
2. Define out-of-scope (third parties, production PII, DoS unless approved, destructive writes)
3. Agree severity rubric, evidence handling, and data minimization
4. Establish emergency stop and escalation path
5. Prefer staging, dedicated test tenants, or anonymized fixtures

See references/web_pentester_scope.md and references/scoping_and_rules_of_engagement.md.

2. Application mapping and OWASP testing

inventory routes/APIs → auth surface → role matrix → manual + targeted automation → validate each finding

Map unauthenticated, authenticated, and privileged flows. Prioritize state-changing endpoints and multi-step workflows.

See references/owasp_web_testing_methodology.md, references/api_security_testing.md, and references/auth_session_and_access_control.md.

3. Exploitation discipline (in scope only)

• Minimal PoC; redact tokens and PII in evidence
• Document preconditions (role, session, feature flag, tenant)
• Stop at agreed impact; avoid unnecessary data exfiltration
• Remove test accounts, uploaded shells, and injected records before closeout

4. Reporting, remediation, and retest

Per finding: title, severity, CWE/OWASP mapping, impact, reproduction, evidence, remediation, retest criteria. Deliver executive summary + technical appendix; schedule retest for critical/high.

See references/reporting_retest_safe_practices.md.

When to load references