Penetration Testing
What is penetration testing?
Penetration testing (also known as pen testing or ethical hacking) is designed to act as a cybersecurity attack; helping you discover weaknesses in your systems. Not sure how secure your systems are? A penetration test will help you determine where and how attackers can get access into your systems.
Why Should You Get A Penetration Test?
There are many benefits to having a penetration test done. These benefits include:
- Detecting security flaws before they are exploited by an attacker
- Detecting vulnerabilities in a network or computer application
- Providing data that can assist security teams in mitigating vulnerabilities and establishing a control system for attackers
How Is A Penetration Test Done?
1. Pre-Engagement Interactions
A series of email exchanges and meetings will take place prior to testing. This is to finalize the scope and rules of engagement for the testing and answer any questions that the stakeholders might have concerning the process.
2. Intelligence Gathering
The assessor will perform scans on the Web Application which includes a NMAP port and an online search for any resources such as GitHub repositories, open-source coding involvement, other websites, etc. of the developers.
3. Threat Modeling
After reviewing the information gathered during the two previous phases, the assessor will determine the main assets that the Web Application should protect and how those assets might be attacked.
4. Vulnerability Analysis
The assessor will use industry standard tools (Nikto, Skipfish, etc.) as well as publicly available sources of information (exploit-db, CVE, etc.) to look for any weaknesses or vulnerabilities on the systems.
5. Exploitation and Post-Exploitation
The assessor will mount various attacks to bypass security restrictions. The main tool used during a Web Application pentest will be Burp Suite Pro which will be augmented with other tools as needed. The results of these tests and other vulnerabilities will be presented in a report.
During the Vulnerability Analysis and Exploitation/Post-Exploitation phases, the assessor will test for common web application vulnerabilities including, but not limited to: Broken Access Control, Injections, Security Misconfigurations, Sensitive Data Exposure, Cross-Site Scripting, Server-Side Request Forgery, Cross-Site Request Forgery, Business Logic Flaws.