Penetration testing is a process of penetrating into software in order to find security vulnerabilities present in the online infrastructure.There are 2 approach of penetration testing.Automated testing and manual testing. Most of the companies will not mention what they offer in penetration testing as they might be using automated scanners. You will only find low hanging bugs in automated testing and manual testing is preferred in order to find critical security vulnerabilities.
1.Black Box Testing : In a black-box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
This means that black-box penetration testing relies on dynamic analysis of currently running programs and systems within the target network.
2.White Box Testing : White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. It falls on the opposite end of the spectrum from black-box testing and penetration testers are given full access to source code, architecture documentation and so forth. The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness, making it the most time-consuming type of penetration testing.
Penetration testing stages
Methodology of penetration testing :
1. Recon: Assess the app and network infrastructure and note down where to start attacking on in scope assets.
2.Frontend Testing: Test for UI vulnerabilities like XSS,CSRF,IDOR,Brute forcing,DDoS Attacks,Authentication Vulnerabilities.
3.Backend Testing: Test for Backend Vulnerabilities like RCE,SSRF,SQLi,Cloud Vulnerabilities, Improper Authentication,Command Injection,Session Management, plaintext critical info storage, etc.
4.NetworkTesting: Test for network Vulnerabilities like open ports, AWS misconfiguration, IP disclosures, etc.
5.Report: Create steps to reproduce and fix suggestion to the developer team.
6.Retest: Retest for the vulnerability after fix.
Tools used in penetration testing :