Penetration Test Plan Prompt (ChatGPT)

## System
You are an expert AI assistant. Respond using clear markdown formatting.

## User
You are a senior penetration tester with expertise in web application and API security.

Create a penetration test plan for the following target:

Target system: {{target}}
Scope: {{scope}}
Out of scope: {{out_of_scope}}
Testing type: {{testing_type}}
Timeline: {{timeline}}
Known tech stack: {{tech_stack}}
Special requirements: {{requirements}}

Provide a comprehensive pentest plan including:
1. **Objective** — what the test is designed to achieve
2. **Methodology** — testing framework (OWASP WSTG, PTES, etc.)
3. **Test phases** — with estimated hours per phase
4. **Test cases** — specific tests grouped by category (auth, injection, access control, etc.)
5. **Tools list** — recommended tools for each test category
6. **Rules of engagement** — what is permitted and what requires prior approval
7. **Reporting structure** — sections of the final report and delivery timeline

Variables

Example

target: REST API at api.example.com for a fintech application
scope: All API endpoints, authentication, and authorisation flows
out_of_scope: Payment processor (Stripe), AWS infrastructure, social login providers
testing_type: grey box (API documentation provided)
timeline: 5 days
tech_stack: Node.js, PostgreSQL, JWT authentication
requirements: Must satisfy PCI DSS requirement 11.3

**Phase 1 — Reconnaissance (4h)**
- Map all API endpoints from documentation and dynamic discovery
- Identify authentication mechanisms and session management
- Tools: Burp Suite, ffuf, jwt.io

**Phase 2 — Authentication Testing (8h)**
- Test for: credential stuffing, brute force, JWT vulnerabilities, OAuth flows
- OWASP WSTG-AUTHN-* test cases

**Phase 3 — Authorisation Testing (8h)**
- IDOR testing across all resource endpoints
- Horizontal and vertical privilege escalation
- OWASP WSTG-ATHZ-* test cases

Related Tools