A penetration test, or pen test, is a simulated attack on systems and applications to identify exploitable vulnerabilities. It involves testing web and mobile applications, APIs, network devices, workstations, servers and more, uncovering issues like SQL injection, code injection, XSS and privilege escalation.
While penetration testers use automated tools for scanning and information gathering, most testing is conducted manually. Manual testing is crucial for detecting vulnerabilities related to business logic and other issues that automated scans might miss.
Penetration testing can be conducted during the testing phase of the software development lifecycle, ensuring vulnerabilities are addressed before the application is deployed. It can also be performed after the application is in production to identify and mitigate security risks in a live environment, ensuring ongoing protection against emerging threats. Doing it early on in the development process may depend on how mature the organization is.
A penetration test can be approached in three ways: black-box, gray-box, or white-box.
- Black-box: Testers have no prior information about the application, except possibly an IP address or domain.
- Gray-box: Testers are given additional information, such as credentials for test accounts. This approach balances cost and effectiveness, providing deeper insights without the high expense of white-box testing. It should be the preferred approach most of the time.
- White-box: Testers have full access to all information about the asset being tested, including the application's source code.
Regardless of the approach, penetration testers will generally follow publicly-available and/or internal checklists and testing guides. The most popular ones are:
- OWASP Web Security Testing Guide (WSTG) - A comprehensive guide to testing the security of web applications and web services.
- OWASP Mobile Application Security Testing Guide (MASTG) - Similar to the OWASP WSTG, it is a comprehensive guide to testing mobile applications.
- OWASP Top 10 - Most common and impactful web application security vulnerabilities.
- OWASP Top 10 API - Most common security risks and vulnerabilities for APIs.
- OWASP Mobile Top 10 - A list containing the most common and impactful mobile application security vulnerabilities.
The composition of the penetration testing team is very important. It can either consist of:
- Internal: cybersecurity professionals who understand the organization's systems and policies intimately.
- External: third-party hired for their specialized skills and objectivity, which can bring fresh perspectives and expertise in identifying vulnerabilities that internal teams might overlook.
After assembling the penetration testing team, the organization must meticulously define the scope of the test. This step is critical to avoid deviations from the planned objectives or unintended testing of additional assets and endpoints. Scope definition entails:
- Decide between black-box, gray-box, or white-box methodologies.
- Establish clear timelines for the testing phases.
- Define which systems and endpoints will undergo testing.
- Decide whether tests will occur in production, staging, or other environments.
- Define the requirements - e.g. testing accounts, credentials, documentation, etc.
Once the scope and dates are defined, the penetration testing team will communicate their requirements to the organization. These may include testing credentials, application documentation, source code access and other necessary resources. It is crucial for the organization to promptly provide all requested information and access before testing begins to ensure a smooth and effective penetration testing process.
After receiving the necessary requirements, such as credentials and documentation, the penetration testing team will begin assessing the system or application. It is crucial for the penetration testing team to:
- Notify the organization immediately if their tests cause any disruption to a system, especially if it is in production, to mitigate potential impacts on business operations.
- Report any critical vulnerabilities discovered promptly to the organization, as these could have significant financial and/or reputational consequences, allowing for swift remediation and risk management.
- If the penetration testing team finds any indicators of compromise (IoC) that an incident may have happened, they must notify the organization immediately.
Upon completing all tests, the penetration testing team will begin compiling a comprehensive report. This report should be structured as follows:
- Cover
- Table of Contents
- Executive Summary
- General Information
- Penetration Testing Team
- Methodology
- Scope
- Vulnerabilities
- Title
- Severity
- Description
- Proof of Concept (with screenshots)
- Impact
- Mitigation
- References
- Conclusion
Lastly, after delivering the report and initiating the vulnerability management process, the penetration testing team will retest all vulnerabilities that developers consider fixed. This retesting ensures that each vulnerability has been successfully addressed and that no bypasses to the newly implemented security controls exist.
There are several tools that can help while performing penetration test against applications. The most common are:
- BurpSuite - A comprehensive software tool used for web application security testing. Key features include a proxy for intercepting and modifying web traffic, a scanner for automated vulnerability detection and tools for performing manual testing, such as repeater, intruder and so forth.
- OWASP Zed Attack Proxy (ZAP) - An open-source web proxy similar that has features similar to BurpSuite's.
- Postman - API testing tool that allows sending various HTTP requests, manipulating headers and automating tests. It helps identify vulnerabilities like authentication issues and data exposure, integrating with other security tools for comprehensive analysis.
- MobSF - Automated, open-source tool for security testing and analyzing mobile applications, supporting both Android and iOS platforms.