Hello everyone! Today I’ll talk about the steps to penetration testing. I hope you’ll enjoy it!
First of all, let’s talk about what a penetration test is. It is, in short, called “Pentesting”. Pentesting is to report the bugs, vulnerabilites that can affect a website and to protect a website from possible hacker attacks.These websites usually belong to companies, associations and etc and people who do this are “Pentesters”.
Now let’s also talk about the types of Pentesting.
White Box Pentesting
This type of Pentesting is means absolutely no harm to the target website and is performed by the website admin’s permission. The pentester reports anything that could be a threat to the admin.
Black Box Pentesting
The purpose of this type of Pentesting is to break into the website without anyone’s knowledge and leak information.
Gray Box Pentesting
This includes both white and black box pentesting and works like this:
The pentester gets into the website with the admin’s permission and reports some of the threats that could affect the website in a bad way. While doing this, he may also not report some of the vulnerabilities to the admin or he could steal some information from the website.
Now we can return to our main subject, which is the steps for these penetration tests.
First Step – Planning and Exploring
First of all, the pentester needs to gather some information about and determine the methods to perform pentesting on the website. As example, he could get some information about the website using Whois.
Second Step – Scanning, Analyzing
The purpose of this step is to observe and analyze how the website reacts to different attacks.
There are two types of analyzing:
- Static Analyzing: In this type, the pentester guesses how a program, code etc. may react by analyzing it. These can analyze the code or software in one-go.
- Dynamic Analyzing: The pentester runs the code of an application while it’s active in this type of analyzing. This is a faster and more effective way to analyze.
Third Step – Accessing
In this step, the pentester performs web application attacks such as SQL Injection, XSS, BackDoor to determine the vulnerabilites and the bugs of the website. Pentesters try to access to the website by using various payloads and trying to dump the database of the site, interrupting the traffic of the website, uploading something on it and etc.
Fourth Step – Reporting
In this step the pentester reports the vulnerabilities he found on the website to the admin.
What matters is how you report something. You can notice it better when you look at the list below.
- A picture from the database if you’ve got into it.
- Informations that hackers would find worth stealing. CC, Admin’s Informations, Gmail, Passwords etc. You could also report this to the admin by taking a picture of it.
- Specifying the exact location of the bug or vulnerability.
- Recording a video of how much the vulnerability could affect the website and what would happen in the end.
If you perfectly do these steps, they’ll return to the bugs and vulnerabilities you’ve found in a short time.