Pentest Methodology

Etik guvenlik testi metodolojisi. Shannon framework'unden adapte.

ONEMLI: Bu skill sadece YETKILI guvenlik testleri icin kullanilir. Bug bounty, pentest anlasmasi, veya kendi sisteminiz olmali.

5-Faz Pipeline

Phase 1: Recon ──▶ Phase 2: Vuln Analysis ──▶ Phase 3: Exploitation
                                                        │
Phase 5: Report ◀── Phase 4: Verification ◀────────────┘

Phase 1: Reconnaissance (Kesfetme)

Adim	Arac/Yontem	Cikti
Subdomain enum	DNS brute, certificate transparency	Subdomain listesi
Port scan	nmap, masscan	Acik portlar
Tech stack	Wappalyzer, HTTP headers	Teknoloji listesi
Directory enum	ffuf, gobuster	Endpoint listesi
API discovery	Swagger/OpenAPI, sitemap	API endpoint'leri
Source review	JS dosyalari, comments	Hardcoded info

Phase 2: Vulnerability Analysis

OWASP Top 10 kontrol matrisi:

#	Vuln	Test Yontemi
A01	Broken Access Control	IDOR, privilege escalation, path traversal
A02	Cryptographic Failures	SSL config, weak ciphers, plaintext storage
A03	Injection	SQLi, XSS, command injection, template injection
A04	Insecure Design	Business logic flaws, race conditions
A05	Security Misconfiguration	Default creds, verbose errors, CORS
A06	Vulnerable Components	CVE scan, outdated dependencies
A07	Auth Failures	Brute force, session fixation, JWT attacks
A08	Data Integrity	Deserialization, CI/CD pipeline attacks
A09	Logging Failures	Log injection, insufficient audit trail
A10	SSRF	Internal service access, cloud metadata

Phase 3: Exploitation (Dogrulama)

Her bulgu icin:

1. Reproduce: Tekrarlanabilir adimlar yaz
2. Proof: Etkiyi goster (ekran goruntusu, response)
3. Impact: Gercek etki ne? (Data leak, RCE, account takeover)
4. Scope: Etki alani ne kadar genis?

Phase 4: Verification

Bulgunun gercek oldugunu dogrula:

• False positive degil mi? Farkli kosullarda tekrarla
• Scope dogru mu? Sadece bir endpoint mi, yoksa sistemik mi?
• Severity dogru mu? Etkiyi abartma, kucumseme

Phase 5: Report

Yapilandirilmis bulgu formati (asagida)

Proof Levels

Level	Tanim	Ornek
L1 - Theoretical	Potansiyel risk, exploit edilmemis	"Bu endpoint input validate etmiyor"
L2 - Demonstrated	Bypass/leak gosterildi	"SQL injection ile hata mesaji leak etti"
L3 - Exploited	Tam exploit, veri erisimi	"Admin panel'e yetkisiz erisim saglandi"
L4 - Chained	Birden fazla vuln zincirlendi	"XSS + CSRF = Account takeover"

Structured Finding Format

## [SEVERITY] Finding Title

**ID**: FINDING-001
**Severity**: Critical / High / Medium / Low / Informational
**Proof Level**: L1 / L2 / L3 / L4
**CVSS**: X.X (hesapla: cvss.org)
**CWE**: CWE-XXX

### Description
Ne bulundu, tek paragraf.

### Impact
Exploit edilirse ne olur?

### Steps to Reproduce
1. [Adim 1]
2. [Adim 2]
3. [Adim 3]

### Proof
[Screenshot, HTTP request/response, veya kod]

### Remediation
Nasil duzeltilir?

### References
- [OWASP link]
- [CWE link]

Source-to-Sink Taint Tracing

Kullanici input'unun tehlikeli bir fonksiyona ulasip ulasamadigini kontrol et:

Source (Input)        ──▶  Transform/Sanitize?  ──▶  Sink (Tehlikeli fonksiyon)
req.body.username     ──▶  Validation var mi?    ──▶  db.query(...)
req.query.redirect    ──▶  URL whitelist var mi?  ──▶  res.redirect(...)
req.headers.host      ──▶  Sanitize var mi?      ──▶  fetch(...)

Source'lar: req.body, req.query, req.params, req.headers, cookies, file uploads Sink'ler: SQL query, eval(), exec(), redirect(), innerHTML, dangerouslySetInnerHTML

Agent Entegrasyonu

• security-analyst: Bu pipeline'i kullanarak tam guvenlik auditi yapar
• security-reviewer: Code review sirasinda vuln pattern'lerini kontrol eder
• code-reviewer: Security-relevant code degisikliklerinde flag kaldirir

Kurallar

• Yetki olmadan test YAPMA
• Rate limiting'e uy, sistemi cokertme
• Buldugun seyi raporla, exploit etme (beyond PoC)
• Hassas verileri rapordan cikar (maskeleme)
• Remediation onerisi ZORUNLU