Penetration Testing
What is Penetration Testing?
Penetration testing (also known as pen testing or ethical hacking) is designed to act as a cybersecurity attack; helping you discover weaknesses in your systems.
Not sure how secure your systems are? A penetration test will help you determine where and how attackers can get access into your systems.
The penetration test’s findings may be utilized to fine-tune your WAF security rules and address discovered vulnerabilities.
Why Should You Get A Penetration Test?
There are many benefits to having a penetration test done. These benefits include:
– Detecting security flaws before they are exploited by an attacker
– Detecting vulnerabilities in a network or computer application
– Providing data that can assist security teams in mitigating vulnerabilities and establishing a control system for attackers
How Is A Penetration Test Done?
The penetration testing will use industry standard testing methodology based on OWASP Application Security Verification Standard1, OWASP Web Testing Guide2 and the Penetration Testing Execution Standard3. The testing will be comprised of the following steps:
1. Pre-Engagement Interactions
A series of email exchanges and meetings will take place prior to testing. This is to finalize the scope and rules of engagement for the testing and answer any questions that the stakeholders might have concerning the process.
After reviewing the information gathered during the two previous phases, the assessor will determine the main assets that the Web Application should protect and how those assets might be attacked.
2. Intelligence Gathering
The assessor will perform scans on the Web Application which includes a NMAP port and an online search for any resources such as GitHub repositories, open-source coding involvement, other websites, etc. of the developers.
The assessor will use industry standard tools (Nikto, Skipfish, etc.) as well as publicly available sources of information (exploit-db, CVE, etc.) to look for any weaknesses or vulnerabilities on the systems.
Using all the information gathered in the previous steps, the assessor will mount various attacks to bypass security restrictions. The main tool used during a Web Application pentest will be Burp Suite Pro which will be augmented with other tools as needed. The results of these tests as well as other vulnerabilities will be presented in a report.
During the Vulnerability Analysis and Exploitation/Post-Exploitation phases, the assessor will test for common web application vulnerabilities including, but not limited to:
- Broken Access Control
- Injections
- Security Misconfigurations
- Sensitive Data Exposure
- Cross-Site Scripting
- Server-Side Request Forgery
- Cross-Site Request Forgery
- Business Logic Flaws
1https://owasp.org/www-project-application-security-verification-standard/
2 https://github.com/OWASP/wstg/releases/download/v4.2/wstg-v4.2.pdf
3 http://www.pentest-standard.org/index.php/Main_Page