Penetration testing (or pentesting) is an authorized process of finding weaknesses, vulnerabilities and security risks, in order to prevent them from being exploited by potential adversaries. We will go through the basic methodology and more technical (and non-technical) details of the penetration testing process.

To start with, it is worth mentioning that every pentester has his developed workflow, usually based on OWASP ASVS, the OWASP Web Security Testing Guide or MASVS for mobile apps and other materials. Each of us has a different testing approach and uses different tools, but we all have a common goal.

The following steps can be distinguished in the process of finding security vulnerabilities.

Information gathering, also known as reconnaissance

It is the first and the most important step in order to successfully execute a penetration testing assignment. We have to know what the target is and what is within the scope of the test. It is also important that we know how the given application works and which parts are especially sensitive. This will help later in capturing the principal characteristics of the bug and its severity, so that organizations can properly assess and prioritize their vulnerability management processes.

Performing an assignment in the production environment is not advised, as it may lead to the disclosure of customer data, impact the integrity and the availability of the living organism.

Application scanning

The best approach here is to scan, not only with the use of automated tools, but also manually. This will greatly improve efficiency and will map all possible attack vectors, as automated scanners do not always do the best job at covering these. For web applications, it is important to check every user input, every redirection and each request that is being sent to the server and also brute-force directories and files. Even if it’s a web application, it is always better to check which ports are opened and what other services are running. When possible, e.g. when testing mobile applications, it is important to decompile them, review their source codes and check whether vulnerable libraries are being used, how authentication is handled and to learn the logical flow of the application. Always look for secrets and hardcoded credentials.

Target exploitation

For this step, a lot of books, articles and common exploits, and techniques reported every day are already out there. The OWASP TOP 10 should never be enough. What matters here are skills that are gathered throughout the entire experience, combined with the creativity of the tester. The more information we gather during the first steps, the easier exploitation is. Some of the issues found might help to discover unintended areas and features that even the developers of the application didn’t know existed. The best example of this scenario is when SSRF (Server-Side Request Forgery) is found and we are able to scan the local network, which might open up other attack vectors targeting internal services.

Risk analysis and reporting

Many bugs, which in the first place might be seen as low severity issues, combined with others found, might greatly increase in importance, which is worth pointing out while reporting. When it comes to reporting – many companies use their templates on which everything is already thought of – a fancy-looking document that is easy to read for non-technical executives, that also shows technical details of the vulnerabilities. Contents should describe findings, steps to reproduce them, their impact and mitigation recommendations for developers. A good report should be self-explanatory.

It is important to know that, as was mentioned at the beginning. penetration testing, as well as cybersecurity, are processes that should be constantly improving. New threats and vulnerabilities are being disclosed every day. As most companies do not test software until it has already been created – when planning to build an application, an important element is integration with various tools that will not only audit the code for errors related to the operation of the application itself, but will also look for potential security gaps.

It also should be taken into account that an automatic scan will not replace a team of pentesters. Of course, some steps of the process can be more or less automated, which might greatly impact efficiency and coverage of the assessments.

More information about Onwelo’s support in the area of IT security can be found on the website.