Adds optional-skills/security/web-pentest/ — an authorized web app penetration testing skill adapted from Shannon's methodology (concepts only; AGPL-clean fresh implementation). Phased: recon (read-only) → vuln analysis (delegate_task per OWASP class) → proof-based exploitation → report. Guardrails baked in: - Authorization gate before first active scan (templates/authorization.md) - Scope allowlist (scope.txt) consulted by recon-scan.sh and documented as the rule for every active request - Aux-client leakage warning (compression + title gen replay history; payloads/creds must not enter chat verbatim) - Bypass-exhaustion discipline before false-positive classification - L3/L4 (proof-required) for reportable findings; L1/L2 listed as candidates only Closes #400. Supersedes #21845 (plugin-shaped proposal; skill-shaped is cheaper and matches the existing optional-skills/security/ pattern).
4.6 KiB
4.6 KiB
Penetration Test Report
Target: <name + URL> Engagement ID: Engagement window: – Operator: Tester: Hermes Agent + operator Report generated: <ISO 8601 timestamp>
Executive Summary
<2-4 paragraph plain-language summary. Focus on:
- What was tested
- What was found (count by severity)
- Most critical finding in one sentence
- High-level remediation recommendation>
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 0 |
| Info | 0 |
Engagement Scope
In-scope targets (from engagement/scope.txt):
Out of scope: see engagement/authorization.md.
Authorization basis: see engagement/authorization.md.
Methodology
Approach was based on the Hermes web-pentest skill (a Hermes Agent
adaptation of the OWASP Testing Guide with elements of Shannon's
proof-based methodology). Phases performed:
- Pre-recon (source code review)
- Recon (live, read-only)
- Vulnerability analysis (one queue per OWASP class)
- Exploitation (proof-based)
- Reporting
Tools used: <nmap, whatweb, curl, Hermes browser tool, ...>.
Findings (L3/L4 — Verified Exploitable)
Every finding in this section has a reproducible proof-of-concept. L1/L2 candidates that were not promoted to confirmed exploitation are listed in the "Not Exploited" section.