Skip to content

m14r41/PentestingChecklist

Repository files navigation

PentestingChecklist

A practical, interactive security assessment checklist for penetration testers, security researchers, bug bounty hunters, and security engineers — covering 23 platforms with 1,000+ checks. It is a checklist you operate, not just docs you read.

Static, in-browser, and private: everything runs client-side with no login, no backend, no database, and no telemetry. Your progress, notes, and findings live in localStorage and never leave your machine.

Use it at checklist.m14r41.in.

Supported platforms

The checklist spans 23 assessment platforms. Each has its own dashboard page, and the all-platforms view lives at /checklist.

Platform What it covers
Web Application Authentication, sessions, access control, injection, business logic, and configuration testing of modern web apps.
API OWASP API Security Top 10 (2023): object- and function-level authorization, authentication, resource consumption, SSRF, and inventory management. REST & GraphQL.
Mobile OWASP MASVS / Mobile Top 10: insecure storage, transport security, secrets, platform interaction, and reverse-engineering resilience (iOS & Android).
Thick Client Local data storage, inter-process communication, traffic interception, DLL/binary protections, and privilege handling for desktop & native apps.
Secure Code Review Source-level discovery: dangerous sinks, injection patterns, authn/authz flaws, secrets, and insecure dependencies across major languages.
Cloud IAM, exposed storage, instance-metadata SSRF, logging, and common misconfigurations across AWS, Azure, and GCP.
DevSecOps Security across the SDLC: SAST/DAST/SCA gates, secrets management, supply-chain controls, and policy-as-code.
Network Infrastructure assessment: host discovery, service enumeration, exposed management interfaces, and transport hardening.
Wi-Fi Wireless assessment: WPA2/WPA3 encryption and authentication, rogue/evil-twin APs, PMKID/handshake attacks, and client isolation.
Firewall Perimeter testing: ruleset review, egress filtering, segmentation validation, and evasion of filtering controls.
Active Directory Enumeration, Kerberos attacks (Kerberoasting, AS-REP), ACL abuse, delegation, lateral movement, and privilege escalation to domain dominance.
Infrastructure Host and OS hardening, patch posture, exposed services, build review, and configuration baselines.
MCP Security Model Context Protocol servers and tools: tool poisoning, prompt injection via tool output, authz scoping, and unsafe capability exposure.
LLM Security OWASP LLM Top 10: prompt injection, insecure output handling, data leakage, excessive agency, and model DoS.
Threat Modeling Asset and trust-boundary mapping, STRIDE/attack-tree analysis, abuse cases, and mitigation tracking.
Configuration Review Hardening review against CIS-style baselines: services, permissions, logging, secrets handling, and default-credential exposure.
Containers & Kubernetes Image hygiene, privileged containers and escapes, RBAC, network policies, secrets, and admission control.
CI/CD Pipeline and supply-chain attacks: poisoned pipeline execution, secret exfiltration, runner compromise, dependency confusion, and artifact integrity.
IoT Firmware extraction and analysis, hardware/UART/JTAG interfaces, insecure protocols, and cloud/companion-app integration.
Blockchain Smart-contract and Web3 assessment: reentrancy, access control, oracle and arithmetic flaws, signature replay, and front-end risks.
Phishing Social-engineering campaigns: pretext and infrastructure setup, payload and landing-page design, evasion, and reporting metrics.
OSINT Open-source intelligence: domain and infrastructure footprinting, employee and credential exposure, code and document leakage, and exposed assets.
Forensics Digital forensics and incident response: sound evidence acquisition, disk/memory/network analysis, timeline reconstruction, and chain of custody.

Features

  • Hierarchical checklist — content is organised in four levels, Platform → Category → Technology → Check, so the tool works like a real assessment framework rather than a flat list. Expand/collapse categories and technologies, with item counts on every section and one-click Expand all / Collapse all.
  • Global search — press ⌘K / Ctrl+K from any page to search across platforms, categories, technologies, checks, descriptions, tags, tools, and references. Selecting a result jumps to it, auto-expands the right sections, and highlights the item.
  • Assessment progress tracking — overall completion plus per-platform and per-category progress, persisted in the browser.
  • Per-finding status — mark each check Open, Closed, or N/A so you can review every Open finding at the end of an assessment.
  • Per-check notes — record payloads, request IDs, and evidence against any check; notes persist in the browser and export with your report.
  • Severity badges & filters — every check carries a severity (criticalinfo); filter the view to focus on what matters first.
  • Export / import — export your assessment to Markdown, CSV, Excel (.xlsx), or JSON; re-import JSON to resume where you left off.

Author

Built and maintained by m14r41GitHub · LinkedIn.

If this is useful, please star the repo on GitHub.

Feedback & bug reports

Bug reports and feedback are welcome via GitHub Issues. This is a personal project, though, so code contributions are not accepted — no pull requests, and no forks for redistribution (see the license).

License

Released under a Personal Use Only license — personal, non-commercial use only; no redistribution, resale, or SaaS/hosting. The checklist content references public standards (OWASP, etc.); those remain under their respective licenses.

Commercial use — including paid, subscription, or hosted/SaaS offerings — requires a separate commercial license. Contact the author at m14r41.in.

About

Comprehensive, data-driven security assessment checklists across 23 platforms web, API, mobile, cloud, Active Directory, Kubernetes, LLM, and more. Expandable hierarchy, global search, progress tracking, export.

Topics

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors