Input validation and protocol manipulation assessment for injection, parser differential testing, request smuggling, method tampering, header confusion, serialization abuse, and payload mutation. Hands off to authz, business-logic, exploit, or reporting workflows when those become the owner phase.
التثبيت
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Input validation and protocol manipulation assessment for injection, parser differential testing, request smuggling, method tampering, header confusion, serialization abuse, and payload mutation. Hands off to authz, business-logic, exploit, or reporting workflows when those become the owner phase.
Input & Protocol Manipulation
Use When
The main question is parser behavior, encoding, method override, header trust, smuggling, serialization, or injection capability.
A request transformation may cross a parser, protocol, or trust boundary.
Handoff Criteria
Hand off to pentest-authentication-authorization-review or pentest-advanced-access-control-auditor when an input anomaly becomes an authorization claim.
Hand off to pentest-business-logic-abuse when the exploitability depends on workflow state.
Hand off to pentest-evidence-structuring-report-synthesis when validation is complete.
Output Schema
Test matrix: vector, payload class, expected secure behavior, observed behavior
Validation state: hypothesis, confirmed, rejected
Minimal reproducible request set
Instructions
Identify the parser or protocol boundary being tested before crafting payloads.
Start with low-noise capability checks, then increase payload complexity only when signal appears.
Compare positive and negative controls for every high-impact claim.
Separate parser anomalies from exploitable security outcomes.
Record exact request transformations required to reproduce behavior.
Escalate to exploit execution only after deterministic primitive confirmation.
Verification Gate
Use structured payload families and deterministic sequencing.
Preserve request/response evidence with context and timing.
Keep tests bounded and reversible by default.
Treat status-code differences as leads until a security effect is proven.
Use positive and negative controls for every high-impact claim.
Cross-check parser behavior with a different content type, method, client, or boundary when ambiguity remains.