client-side-pentest

Perform a thorough client-side / browser-facing security assessment of a target web application. Use this skill whenever the user asks to pentest, audit, or review the security of a website or web app from the browser/frontend perspective, mentions client-side vulnerabilities (XSS, CORS, open redirect, clickjacking, prototype pollution, JWT leakage, source maps, etc.), wants to find sensitive data exposed in JavaScript bundles or client code, or asks for a security report on front-end attack surface. Trigger even if the user just says "test the security of this site", "find vulnerabilities in this web app", or "run a pentest on the frontend".

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "client-side-pentest" with this command: npx skills add enderphan94/web-front-scanner

Client-Side / Front-End Security Assessment

A skill for conducting thorough, non-destructive client-side security reviews of web applications, producing a structured Markdown report covering all major browser-facing attack surface categories.

Setup: Fill in Before Starting

Before executing, confirm these values with the user if not already provided:

VariableDescription
TARGETPrimary target URL
LOGINLogin URL or credentials (if authenticated testing is in scope)
CRED_AREASCredential areas needing extra attention
TOOLS_DIRPath to any custom tools folder
SCOPEClient-side and front-end only (unless user explicitly extends)

Authorization & Safety Constraints

  • This assessment is authorized by the asset owner
  • Non-destructive only — no DoS, brute force, spam, mass account creation, credential attacks
  • Keep request volume moderate; avoid noisy scans unless the user explicitly approves
  • Prefer passive analysis first, then low-risk validation
  • Only attempt proof-of-concept when necessary to confirm a finding
  • Never exceed the defined scope without explicit user approval

Mission

Identify the following across the client-side attack surface:

  1. Vulnerable / outdated client-side dependencies (JS libraries, third-party scripts)
  2. Sensitive information exposed in client-side assets (keys, tokens, internal endpoints, configs, source maps)
  3. Client-side vulnerabilities — see full checklist below

Vulnerability Checklist

Cover all of the following (mark each as Confirmed / Likely / Informational / False Positive):

Injection & Scripting

  • Reflected XSS
  • Stored XSS
  • DOM-based XSS
  • Mutation XSS (mXSS)
  • Client-Side Template Injection (CSTI)
  • HTML Injection
  • CSS Injection
  • Dangling markup injection
  • Unsafe use of innerHTML, outerHTML, document.write
  • Unsafe eval / dynamic code execution

Redirects & Framing

  • Open redirect
  • DOM-based open redirect
  • Reverse tabnabbing / window.opener abuse
  • Clickjacking / UI redressing
  • Unsafe iframe embedding
  • Weak iframe sandboxing
  • Form action hijacking

Cross-Origin & Trust

  • CORS misconfiguration
  • postMessage flaws (origin validation)
  • Cross-site WebSocket hijacking
  • Missing Subresource Integrity (SRI) on third-party scripts
  • Unsafe third-party script trust

Caching & Service Workers

  • Web cache deception
  • Web cache poisoning
  • Service worker abuse / misconfiguration
  • Offline cache poisoning

Data Exposure

  • JWT / token leakage in localStorage / sessionStorage / cookies
  • Sensitive data in JS bundles or source
  • Source map exposure (.map files reachable)
  • Hardcoded secrets / API keys in frontend code
  • Stack traces or debug data visible to client
  • Hidden admin functionality / feature flags exposed

Client-Side Logic & Manipulation

  • Client-side authorization bypass
  • Business logic manipulation in browser
  • Parameter tampering
  • Hidden field manipulation
  • Client-side prototype pollution
  • Insecure client-side deserialization
  • Client-side path traversal
  • DOM clobbering

Browser & Misc

  • CSRF risk from frontend request patterns
  • Mixed content
  • MIME sniffing / content-type confusion
  • Referer leakage
  • Browser history leakage
  • Autofill abuse / credential leakage
  • Clipboard abuse
  • File upload client-side validation bypass
  • XS-Leaks
  • LocalStorage / SessionStorage abuse
  • Vulnerable third-party JavaScript libraries (CVE-matched)

Methodology (Execute in Order)

Phase 1 — Reconnaissance & Asset Enumeration

  • Crawl target: enumerate pages, scripts, endpoints, static assets
  • Identify JS bundles, source maps (.map), manifests, service workers, web workers
  • Enumerate first-party and third-party JS resources (CDN scripts, analytics, tag managers)
  • Check storage usage: localStorage, sessionStorage, IndexedDB, cookies
  • Identify public config artifacts: robots.txt, sitemap.xml, .well-known/*, manifest.json
  • Review HTTP response headers: CSP, CORS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS

Tools to use: curl, wget, browser DevTools, gau, waybackurls, hakrawler, katana, subfinder, httpx, nuclei, custom scripts in TOOLS_DIR, Chrome (manual review)

Phase 2 — Static Analysis

  • Download and review all reachable JS bundles and source maps
  • Search for: hardcoded keys, tokens, credentials, internal URLs, debug flags, feature flags
  • Parse source maps to reconstruct original source where available
  • Identify JS library names and versions; cross-reference against known CVEs (RetireJS, Snyk DB)
  • Review HTML for: inline scripts, hidden fields, form actions, iframes, rel="noopener" presence
  • Review CSP policy for bypasses (wildcards, unsafe-inline, unsafe-eval, missing directives)

Tools: retire.js, npm audit, semgrep, grep/ripgrep, browser DevTools Sources tab, js-beautify, source-map CLI

Phase 3 — Targeted Low-Risk Runtime Validation

  • Open the target in Chrome; observe network requests, console errors, storage
  • Test CORS by issuing cross-origin requests with crafted Origin headers
  • Check postMessage handlers: send crafted messages with untrusted origins
  • Test open redirect candidates with controlled payloads
  • Test XSS candidates with non-alerting, non-destructive probes (e.g., unique string reflection)
  • Inspect cookies: flags (HttpOnly, Secure, SameSite), scope, expiry
  • Check service workers: scope, fetch event handlers, cache strategies
  • Test iframe embedding from external origin

Phase 4 — Risk Confirmation (Only Where Needed)

  • Construct minimal PoC to confirm exploitability where finding is likely but unconfirmed
  • Do not automate or repeat; single manual validation only
  • Document exact reproduction steps

JavaScript Library Review Format

For each identified library:

FieldValue
Library name
Detected version
File path / URL
Evidence
Known CVEs / issues
AssessmentVulnerable / Outdated / OK
Security relevance

Running Log (Keep Updated Throughout)

Maintain a running log as you work:

[STEP] Description of action
[TOOL] Tool and command used
[OUTPUT] Key evidence or finding
[CONFIDENCE] High / Medium / Low

Output

Save the final report as:

client_side_pentest_report.md

in the current working directory.

Report Structure

# Client-Side Penetration Test Report

## Executive Summary
## Scope & Assumptions
## Methodology
## Asset Inventory (client-side relevant)
## JavaScript Library Inventory
## Sensitive Data Exposure Findings
## Vulnerability Findings
## Informational Observations
## False Positives Ruled Out
## Recommended Remediation
## Appendix (commands, URLs, raw evidence, notes)

Per-Finding Format

### [FINDING TITLE]

- **Severity**: Critical / High / Medium / Low / Informational
- **CWE**: CWE-XXXX — [name]
- **Affected asset(s)**:
- **Description**:
- **Evidence**:
- **Reproduction steps**:
- **Security impact**:
- **Likelihood / Confidence**: Confirmed / Likely / Informational / False Positive
- **Remediation**:
- **References**:

Execution Style

  • Be systematic, concise, and technical
  • Prefer high signal over noisy output
  • Do not stop at the first issue — continue until all phases are complete
  • Distinguish clearly between Confirmed, Likely, Informational, and False Positive findings
  • Do not overstate severity; be skeptical and evidence-driven
  • If a noisier step is needed (e.g., active scanning, fuzzing), pause and ask the user for approval with a clear explanation of what will be done and why

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Ring Security

Monitor and manage Ring doorbells and security cameras. Query device status, review motion events, manage modes, and export event history. Use when you need...

Registry SourceRecently Updated
1780Profile unavailable
Security

Moses Governance Single

MO§ES™ Governance — Single-agent constitutional control. Enforces behavioral modes, posture controls, role awareness, and SHA-256 chained audit trail in one...

Registry SourceRecently Updated
830Profile unavailable
Security

Moses Audit

MO§ES™ Audit Trail — SHA-256 chained append-only governance ledger. Every agent appends before final response. Provides moses_log_action and moses_verify_cha...

Registry SourceRecently Updated
870Profile unavailable
Security

Sop Writer

SOP标准操作流程编写工具。创建SOP、流程图、检查清单、审核评估、模板库、培训材料。SOP writer with create, flowchart, checklist, audit, template, and training materials. Use when you need sop write...

Registry SourceRecently Updated
1610Profile unavailable