What is pentesting?

What is pentesting?

23.03.2019
18:27
Audit, Security Testing

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

Concept

A common tool used to assess the security of a web application is penetration testing. Known also as pentest. Pentest is a “legal” simulated attack that seeks to use an application in a way that could be harmful to either the system, the data in the system, or the people who use the system.

Objectives

The purpose of the test is to simulate the intentions of a malicious attacker and to verify the operation of the application in an exceptional situation. The goal is usually to find the most common errors in the application. This is a very good approach especially if you are testing an application or system for the first time.

The testing criteria are well-known and generally accepted standards and checklists, especially those created for the security assessment of web applications, The most widely used checklist is the OWASP top-10, which covers the most common vulnerabilities in web applications, and this checklist is maintained and reviewed regularly. Therefore, by default, you can always be confident that by following the OWASP top-10 as the primary testing criterion, you are testing the right things.

Other testing criteria may be, for example, SANS 25 or an industry-specific testing framework such as PCI-DSS.

Source code reviewing may also be used to support penetration testing. Most often, source code reviewing is used to support penetration testing and the source code is not read line by line. If the source code is reviewed in more detail, the OWASP ASVS framework is often used as a support method.

Scanning supports testing

Network and server scanning creates a snapshot of the application environment and ensures that there are no vulnerabilities in the application’s background infrastructure that could be exploited by a potential attacker to bypass the protections used. At the same time, potential targets are found for the actual penetration testing. Depending on the environment, the scan can be done from the perspective of both an internal and an external attacker.

Targets

Applications most often have two a user interfaces. one for the clients and some sort of internal interface usually used by company employees. In addition to this, it is often good to identify different APIs that may be justified to test other ways than just by using applications. Testing is performed with the utmost care, following the principle of consciously avoiding, for example, the use of destructive database inputs during testing. Inputs may be incorrect and broken during testing, but test inputs that write to or destroy databases (DROP), for example, are not used. This allows testing to be performed entirely in either the production environment or the test environment, depending on the situation.

Specifics

Tests often pay attention to the cross-use of credentials, e.g., elevating and abusing high-level permissions and normal user credentials. Other checkpoints outside the OWASP top-10 are always agreed separately with the customer. It is also good to raise individual concerns.

Things to consider

If the system is protected by technical controls that prevent penetration testing (IDS / IPS, WAF web application firewall, ratelimiter, autoban system, blacklists,…), these should be switched off in order to successfully complete penetration testing. These technical controls effectively prevent penetration testing – testing of these technical controls must be performed separately if the situation and scope so require.

Although testing is performed with the utmost care and in accordance with good professional ethics, it is possible that the systems will be damaged or interrupted during testing. It is the customer’s responsibility to take care of the preparation. The auditor always keeps the client up to date in the event of any problem situations.

Testing can always be performed from specific IP addresses, allowing these IP addresses to be whitelisted for the duration of the tests.

Finally

Penetration testing is a basic tool for information security. Testing should be performed with the development teams involved and, in addition to the report, given the opportunity to ask the auditor directly for clarifications and tips to correct problems.

To help the development teams, a security hackathon can also be set up, where the developers themselves can try out the pentesting.

Auditing

Auditing Auditing in short Auditing means many things. For us, it means customized reviews of systems, environments and processes for our customers. In addition to

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).