Add URL-driven web app pentesting skill and helper scripts

[Copilot]

This adds a new skill for authorized web application pentesting where the only required input is the target URL. The skill covers endpoint discovery, authentication/session analysis, common injection checks, and IDOR-style logic testing with a free, open-source-first toolchain.

• New skill: pentesting-web-apps

  • Adds skills/pentesting-web-apps/SKILL.md
  • Defines a URL-only input contract and scope boundaries
  • Frames the assessment flow from crawl → auth review → injection probes → logic testing → reporting

• Coverage of required pentesting capabilities

  • Crawler / Spider: route inventory, hidden endpoints, params, authenticated vs unauthenticated reachability
  • Auth Analysis: JWT review, session rotation/reuse, remember-me behavior, session hijacking checks
  • Injection Probes: targeted SQLi, XSS, and SSRF checks against discovered inputs
  • Logic Tester: object-reference tampering and broken access control checks (user_id, org_id, project_id, etc.)

• Tooling guidance

  • Recommends an open-source-first stack centered on:
    • Playwright
    • OWASP ZAP
    • Burp Suite Community
    • ffuf / feroxbuster
    • sqlmap
    • Dalfox
    • jwt-tool
  • Uses Dalfox as a focused follow-up tool for reflected or stored XSS candidates

• Reusable helper scripts

  • Adds a skills/pentesting-web-apps/scripts/ folder with composable helpers for the skill workflow
  • Includes scripts for crawl orchestration, auth analysis, injection probe generation, logic testing, and end-to-end assessment composition
  • Adds a Playwright crawler helper for same-origin page, form, and request inventory
  • Updates the injection helper to plan optional Dalfox follow-up alongside sqlmap and ZAP
  • Scripts default to a safe dry-run mode and support --execute to run available tools when installed

• Repository index updates

  • Adds the new skill to README.md
  • Includes an install example, usage summary, and references to the new helper scripts

Example install:

npx skills add b12consulting/skills --skill pentesting-web-apps

<issue_title>Add pentesting skill</issue_title>
><issue_description>The skill should target web app harnessing, general idea:
> - should include usual pentesting tool (playwright, burp, OWASP ZAP, ...), should be free and ideally open-source
> - the only thing the agent should take as input is the url to the web app.
>
> Requirement | Description:
> - Crawler/Spider | The ability to map the application's URL structure and hidden endpoints.
> - Auth Analysis | Logic to test JWT strength, session hijacking, and "Remember Me" flaws.
> - Injection Probes | Automated payloads for SQLi, XSS, and SSRF targeted at input fields.
> - Logic Tester | For example testing if changing a user_id (or org_id, project_id, etc) in a URL allows access to another user's data (IDOR).
>
>
></issue_description>
>
> ## Comments on the Issue (you are @copilot in this section)
>
>
>

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add pentesting skill</issue_title>
<issue_description>The skill should target web app harnessing, general idea:

• should include usual pentesting tool (playwright, burp, OWASP ZAP, ...), should be free and ideally open-source
• the only thing the agent should take as input is the url to the web app.

Requirement | Description:

• Crawler/Spider | The ability to map the application's URL structure and hidden endpoints.
• Auth Analysis | Logic to test JWT strength, session hijacking, and "Remember Me" flaws.
• Injection Probes | Automated payloads for SQLi, XSS, and SSRF targeted at input fields.
• Logic Tester | For example testing if changing a user_id (or org_id, project_id, etc) in a URL allows access to another user's data (IDOR).

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add pentesting skill #6

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[bertrand-chenal]

add a script folder to this skill, with a bunch of reusable composable scritps that use the tools in SKILL.md

[Copilot]

add a script folder to this skill, with a bunch of reusable composable scritps that use the tools in SKILL.md

Added a reusable scripts/ folder for pentesting-web-apps with composable crawl, auth-analysis, injection-probe, logic-tester, and orchestration helpers, and documented them in the skill. Addressed in 9f5e4d1.

[bertrand-chenal]

@copilot please integrate Dalfox to the list of tools

[Copilot]

@copilot please integrate Dalfox to the list of tools

Integrated Dalfox into the pentesting skill tooling and injection follow-up guidance, including the helper script’s optional XSS follow-up plan. Addressed in 5991935.