pentest-client-advanced

Purpose Test advanced client-side attack surfaces beyond XSS. Six WSTG-CLNT items remain unchecked in Shannon's pipeline — these are distinct attack classes requiring different methodology than taint analysis.

| WSTG-CLNT-05 | CSS Injection | ✅ | | WSTG-CLNT-06 | Client-Side Resource Manipulation | ✅ | | WSTG-CLNT-07 | Cross-Origin Resource Sharing | ✅ | | WSTG-CLNT-09 | Clickjacking | ✅ | | WSTG-CLNT-10 | WebSocket Testing | ✅ | | WSTG-CLNT-11 | Web Messaging | ✅ |

| CORS Testing | CORScanner, curl, custom PoC pages | CORS misconfiguration detection | | WebSocket | websocket-client (Python), Burp WS | WebSocket hijacking and injection | | Clickjacking | custom HTML iframes, Playwright | UI redressing PoC construction | | Browser Automation | Playwright, Puppeteer | Automated client-side attack verification |