Pentesting Checklist Matrix — Quick Reference

✅ = Fully Covered | ⚠️ = Partially Covered | ❌ = Not Covered

1. PRE-ENGAGEMENT & RECONNAISSANCE (85%)

Check	Status	Module	Command
Subdomain enumeration	✅	recon_scanner	`python run_scan.py --reconnaissance`
DNS enumeration	✅	recon_scanner	`python run_scan.py --reconnaissance`
WHOIS lookup	❌	-	Manual
SSL certificate analysis	⚠️	tls_checker	`python run_scan.py`
Technology fingerprinting	✅	recon_scanner	`python run_scan.py --reconnaissance`
WAF/CDN detection	✅	recon_scanner	`python run_scan.py --reconnaissance`
robots.txt analysis	✅	recon_scanner	`python run_scan.py --reconnaissance`
sitemap.xml parsing	✅	recon_scanner	`python run_scan.py --reconnaissance`
Email harvesting	✅	recon_scanner	`python run_scan.py --reconnaissance`
Shodan/Censys search	❌	-	Manual

2. CONFIGURATION & DEPLOYMENT (90%)

Check	Status	Module	Command
.git repository exposure	✅	recon_scanner	`python run_scan.py --reconnaissance`
.svn exposure	✅	recon_scanner	`python run_scan.py --reconnaissance`
Backup file discovery	✅	recon_scanner	`python run_scan.py --reconnaissance`
Directory listing	✅	web_scanner	`python run_scan.py`
Debug files exposed	✅	recon_scanner	`python run_scan.py --reconnaissance`
Docker files exposed	✅	recon_scanner	`python run_scan.py --reconnaissance`
CI/CD configs exposed	✅	recon_scanner	`python run_scan.py --reconnaissance`
Security headers	✅	header_checker	`python run_scan.py`
HSTS configuration	✅	header_checker	`python run_scan.py`
CSP policy	✅	header_checker	`python run_scan.py`
Cookie security	✅	header_checker	`python run_scan.py`
CORS misconfiguration	✅	advanced_scanner	`python run_scan.py --advanced`
TLS/SSL configuration	✅	tls_checker	`python run_scan.py`
Weak protocols (SSLv3, TLS 1.0)	✅	tls_checker	`python run_scan.py`
Certificate validation	✅	tls_checker	`python run_scan.py`
HTTP methods (PUT, DELETE)	✅	api_checker	`python run_scan.py`
Admin panel discovery	✅	advanced_scanner	`python run_scan.py --advanced`
Error message disclosure	✅	web_scanner	`python run_scan.py`

3. IDENTITY & ACCESS MANAGEMENT (75%)

Check	Status	Module	Command
Authentication bypass	✅	advanced_scanner	`python run_scan.py --advanced`
Broken authentication	✅	advanced_scanner	`python run_scan.py --advanced`
Password policy testing	❌	-	Manual
Account enumeration	❌	-	Manual
Brute force protection	⚠️	advanced_scanner	`python run_scan.py --advanced`
Session cookie security	✅	advanced_scanner	`python run_scan.py --advanced`
Session ID strength	✅	advanced_scanner	`python run_scan.py --advanced`
Session timeout	❌	-	Manual
Session fixation	⚠️	advanced_scanner	`python run_scan.py --advanced`
JWT 'none' algorithm	✅	advanced_scanner	`python run_scan.py --advanced`
JWT algorithm confusion	✅	advanced_scanner	`python run_scan.py --advanced`
JWT sensitive data	✅	advanced_scanner	`python run_scan.py --advanced`
IDOR vulnerabilities	✅	deep_scanner	`python run_scan.py --deep-scan`
Horizontal privilege escalation	✅	deep_scanner	`python run_scan.py --deep-scan`
Vertical privilege escalation	❌	-	Manual
OAuth/SAML testing	❌	-	Manual
Multi-factor authentication	❌	-	Manual
Password reset flow	❌	-	Manual

4. INPUT VALIDATION & INJECTION (95%)

Check	Status	Module	Command
Error-based SQL injection	✅	injection_detector	`python run_scan.py`
Boolean-based blind SQLi	✅	injection_detector	`python run_scan.py`
Union-based SQLi	✅	injection_detector	`python run_scan.py`
Time-based blind SQLi	❌	-	Manual
Reflected XSS	✅	injection_detector	`python run_scan.py`
Stored XSS	✅	injection_detector	`python run_scan.py`
DOM-based XSS	⚠️	injection_detector	`python run_scan.py`
Command injection	✅	injection_detector	`python run_scan.py`
XXE injection	✅	deep_scanner	`python run_scan.py --deep-scan`
SSRF (AWS metadata)	✅	deep_scanner	`python run_scan.py --deep-scan`
SSRF (localhost)	✅	deep_scanner	`python run_scan.py --deep-scan`
SSRF (file://)	✅	deep_scanner	`python run_scan.py --deep-scan`
Path traversal	✅	deep_scanner	`python run_scan.py --deep-scan`
Local file inclusion	✅	deep_scanner	`python run_scan.py --deep-scan`
LDAP injection	⚠️	injection_detector	`python run_scan.py`
Template injection (SSTI)	❌	-	Manual
NoSQL injection	❌	-	Manual
CSV injection	❌	-	Manual
XPath injection	❌	-	Manual

5. BUSINESS LOGIC & ERROR HANDLING (60%)

Check	Status	Module	Command
Race conditions	⚠️	advanced_scanner	`python run_scan.py --advanced`
Mass assignment	✅	advanced_scanner	`python run_scan.py --advanced`
Parameter pollution	✅	deep_scanner	`python run_scan.py --deep-scan`
Error message disclosure	✅	web_scanner	`python run_scan.py`
Stack trace exposure	✅	web_scanner	`python run_scan.py`
Business logic flaws	❌	-	Manual
Workflow bypass	❌	-	Manual
Price manipulation	❌	-	Manual
TOCTOU vulnerabilities	❌	-	Manual

6. WORDPRESS PENTESTING (85%)

Check	Status	Module	Command
Version disclosure	✅	wordpress_checker	`python run_scan.py`
User enumeration (REST API)	✅	wordpress_checker	`python run_scan.py`
User enumeration (XML-RPC)	✅	wordpress_checker	`python run_scan.py`
XML-RPC enabled	✅	wordpress_checker	`python run_scan.py`
XML-RPC pingback	✅	wordpress_checker	`python run_scan.py`
XML-RPC multicall	✅	wordpress_checker	`python run_scan.py`
REST API exposure	✅	wordpress_checker	`python run_scan.py`
debug.log accessible	✅	wordpress_checker	`python run_scan.py`
wp-config.php backup	✅	wordpress_checker	`python run_scan.py`
readme.html disclosure	✅	wordpress_checker	`python run_scan.py`
Theme/plugin detection	✅	wordpress_checker	`python run_scan.py`
WPScan database lookup	❌	-	Manual (wpscan --api-token)
Timthumb vulnerability	❌	-	Manual
File upload vulnerabilities	❌	-	Manual

7. REST API PENTESTING (80%)

Check	Status	Module	Command
Swagger/OpenAPI exposure	✅	api_checker	`python run_scan.py`
GraphQL introspection	✅	advanced_scanner	`python run_scan.py --advanced`
GraphQL query depth	✅	advanced_scanner	`python run_scan.py --advanced`
GraphQL batch attacks	✅	advanced_scanner	`python run_scan.py --advanced`
API versioning	✅	api_checker	`python run_scan.py`
JWT vulnerabilities	✅	advanced_scanner	`python run_scan.py --advanced`
API key exposure	✅	recon_scanner	`python run_scan.py --reconnaissance`
IDOR in API	✅	deep_scanner	`python run_scan.py --deep-scan`
BOLA (Broken Object-Level Auth)	✅	deep_scanner	`python run_scan.py --deep-scan`
Mass assignment	✅	advanced_scanner	`python run_scan.py --advanced`
Rate limiting	✅	advanced_scanner	`python run_scan.py --advanced`
OAuth misconfigurations	❌	-	Manual
API schema validation	❌	-	Manual
Excessive data exposure	❌	-	Manual

8. AWS & AZURE CLOUD (75%)

Check	Status	Module	Command
AWS
S3 bucket public access	✅	cloud_scanner	`python run_scan.py --cloud`
S3 bucket listing	✅	cloud_scanner	`python run_scan.py --cloud`
S3 bucket ACL	✅	cloud_scanner	`python run_scan.py --cloud`
EC2 metadata endpoint	✅	cloud_scanner	`python run_scan.py --cloud`
IAM credentials exposure	✅	cloud_scanner	`python run_scan.py --cloud`
Lambda misconfigurations	✅	cloud_scanner	`python run_scan.py --cloud`
API Gateway endpoints	✅	cloud_scanner	`python run_scan.py --cloud`
CloudFront misconfigurations	❌	-	Manual (Prowler)
EBS snapshots	❌	-	Manual (Prowler)
RDS snapshots	❌	-	Manual (Prowler)
CloudTrail logs	❌	-	Manual (Prowler)
Azure
Blob Storage public access	✅	cloud_scanner	`python run_scan.py --cloud`
Storage container enumeration	✅	cloud_scanner	`python run_scan.py --cloud`
Azure metadata endpoint	✅	cloud_scanner	`python run_scan.py --cloud`
Azure Function URLs	✅	cloud_scanner	`python run_scan.py --cloud`
Azure Key Vault exposure	❌	-	Manual (Scout Suite)
Azure SQL databases	❌	-	Manual (Scout Suite)
GCP
GCS bucket misconfiguration	✅	cloud_scanner	`python run_scan.py --cloud`
GCS bucket enumeration	✅	cloud_scanner	`python run_scan.py --cloud`
GCP metadata endpoint	✅	cloud_scanner	`python run_scan.py --cloud`
Cloud Functions exposure	✅	cloud_scanner	`python run_scan.py --cloud`
GCP service accounts	❌	-	Manual (Scout Suite)
Containers
Docker API exposed	✅	cloud_scanner	`python run_scan.py --cloud`
Kubernetes API accessible	✅	cloud_scanner	`python run_scan.py --cloud`
Container escape risks	✅	cloud_scanner	`python run_scan.py --cloud`
Environment variables exposed	✅	cloud_scanner	`python run_scan.py --cloud`
Docker registry exposure	❌	-	Manual
Kubernetes RBAC	❌	-	Manual (kube-hunter)

ADDITIONAL CHECKS

Check	Status	Module	Command
Open redirect	✅	deep_scanner	`python run_scan.py --deep-scan`
CSRF protection	✅	deep_scanner	`python run_scan.py --deep-scan`
Clickjacking protection	✅	deep_scanner	`python run_scan.py --deep-scan`
Host header injection	✅	deep_scanner	`python run_scan.py --deep-scan`
Insecure deserialization	✅	advanced_scanner	`python run_scan.py --advanced`
Weak cryptography	✅	advanced_scanner	`python run_scan.py --advanced`

SUMMARY BY COVERAGE

Category	Coverage	Covered	Partial	Missing
Pre-engagement & Recon	85%	8	1	1
Configuration & Deployment	90%	17	0	1
Identity & Access Mgmt	75%	11	2	5
Input Validation & Injection	95%	16	2	3
Business Logic	60%	4	1	4
WordPress Pentesting	85%	11	0	3
REST API Pentesting	80%	11	0	3
AWS & Azure Cloud	75%	18	0	8
TOTAL	81%	96	6	28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pentesting Checklist Matrix — Quick Reference

✅ = Fully Covered | ⚠️ = Partially Covered | ❌ = Not Covered

1. PRE-ENGAGEMENT & RECONNAISSANCE (85%)

2. CONFIGURATION & DEPLOYMENT (90%)

3. IDENTITY & ACCESS MANAGEMENT (75%)

4. INPUT VALIDATION & INJECTION (95%)

5. BUSINESS LOGIC & ERROR HANDLING (60%)

6. WORDPRESS PENTESTING (85%)

7. REST API PENTESTING (80%)

8. AWS & AZURE CLOUD (75%)

ADDITIONAL CHECKS

SUMMARY BY COVERAGE

FilesExpand file tree

CHECKLIST_MATRIX.md

Latest commit

History

CHECKLIST_MATRIX.md

File metadata and controls

Pentesting Checklist Matrix — Quick Reference

✅ = Fully Covered | ⚠️ = Partially Covered | ❌ = Not Covered

1. PRE-ENGAGEMENT & RECONNAISSANCE (85%)

2. CONFIGURATION & DEPLOYMENT (90%)

3. IDENTITY & ACCESS MANAGEMENT (75%)

4. INPUT VALIDATION & INJECTION (95%)

5. BUSINESS LOGIC & ERROR HANDLING (60%)

6. WORDPRESS PENTESTING (85%)

7. REST API PENTESTING (80%)

8. AWS & AZURE CLOUD (75%)

ADDITIONAL CHECKS

SUMMARY BY COVERAGE