Penetration Testing Notes

# CLAUDE.md — Penetration Testing Methodology

## Scope Confirmation (Before Starting)
- Written authorisation from asset owner — always
- Scope: which domains/IPs are in scope?
- Out of scope: production databases, DoS techniques, social engineering?
- Emergency contact and escalation procedure

## Reconnaissance
- Passive: Shodan, Certificate Transparency logs, DNS enumeration, LinkedIn
- Active (authorised scope only): port scan (nmap), HTTP fingerprinting, tech stack ID

## Authentication Testing
- Account enumeration via login response differences
- Brute-force protection (rate limiting, lockout)
- Password policy enforcement
- MFA bypass attempts
- Password reset flow (token entropy, expiry, re-use)

## Session Management
- Token entropy and predictability
- Cookie attributes: HttpOnly, Secure, SameSite=Strict
- Session fixation
- Logout invalidates server-side session

## Reporting Format (per finding)
- **Title**: concise description
- **Severity**: Critical / High / Medium / Low / Informational
- **CVSS score**: base score with vector string
- **Description**: what is the vulnerability?
- **Proof of concept**: exact steps to reproduce
- **Impact**: what can an attacker achieve?
- **Remediation**: specific fix recommendation