Pentesting: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
(→Tools) |
||
| (35 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Cybersecurity]] > Pentesting | |||
= Process = | = Process = | ||
Based on the PDCA cycle | Based on the PDCA cycle | ||
== Plan == | == Plan == | ||
| Line 10: | Line 13: | ||
* Document what '''should''' be their and it's purpose. | * Document what '''should''' be their and it's purpose. | ||
* | :* Open ports | ||
* | :* API endpoints | ||
* | :* Outbound connections | ||
This established a known baseline for the system. | This established a known baseline for the system. | ||
== Do == | == Do == | ||
| Line 27: | Line 34: | ||
* This must be isolated from all other instances. Must be on it's own subnet. | * This must be isolated from all other instances. Must be on it's own subnet. | ||
* This '''must not'' contain production data. | * This '''must not''' contain production data. | ||
* provide the tester will full access to this network - normally done using a jump box. | * provide the tester will full access to this network - normally done using a jump box. | ||
finally: | finally: | ||
* perform the test | * perform the test | ||
== Check == | == Check == | ||
* Review the test results | * Review the test results | ||
Are they valid: | Are they valid: | ||
| Line 49: | Line 61: | ||
* Document the test results | * Document the test results | ||
== Act == | == Act == | ||
| Line 54: | Line 68: | ||
For each finding: | For each finding: | ||
* | ===Patch the code=== | ||
:* If you own the code - Change the code. | |||
:* If the code is in the supply chain: | |||
::* Find a patch / revised version | |||
===Mitigate the problem=== | |||
:* Remove the component or feature | |||
* | :* Place the component behind something so it cannot be reached. | ||
===Cannot fix, assess the risk=== | |||
*:: How does the CIA triad impact the business? | :* What is the impact of this vulnerability. | ||
:* If it is exploited what could happen: | |||
::* Consider the CIA triad in risk analysis. | |||
::* How does the CIA triad impact the business? | |||
[[Assessing Risk|📖More about risk]] | |||
== Repeat == | |||
Repeat this cycle until all issues have been resolved. | |||
* Don't accept that a fix until you have poof from a pen test that it is fixed! | |||
:* Yes developers want a ''get out of pentest free'' card | |||
= Tools = | = Tools = | ||
[[ZAP Proxy]] | |||
[[Nmap]] | [[Nmap]] | ||
[[Scanning web servers]] | [[Scanning web servers]] | ||
[[BURP Suite]] | |||
[[CURL]] | |||
= More Information = | |||
[https://www.cobalt.io/blog/a-pentesters-guide-to-cross-site-scripting-xss Common XSS tactics] | |||
[https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html XSS Filter Evasion Cheat Sheet] | |||
Latest revision as of 17:31, 5 December 2025
Cybersecurity > Pentesting
Process
Based on the PDCA cycle
Plan
Gather documentation for the test
- Document what should be their and it's purpose.
- Open ports
- API endpoints
- Outbound connections
This established a known baseline for the system.
Do
Setup an environment for the test.
- This should be a copy of production.
- This must be isolated from all other instances. Must be on it's own subnet.
- This must not contain production data.
- provide the tester will full access to this network - normally done using a jump box.
finally:
- perform the test
Check
- Review the test results
Are they valid:
- Where all systems scanned.
- Where all ports scanned.
Document:
- Document the test results
Act
For each finding:
Patch the code
- If you own the code - Change the code.
- If the code is in the supply chain:
- Find a patch / revised version
Mitigate the problem
- Remove the component or feature
- Place the component behind something so it cannot be reached.
Cannot fix, assess the risk
- What is the impact of this vulnerability.
- If it is exploited what could happen:
- Consider the CIA triad in risk analysis.
- How does the CIA triad impact the business?
Repeat
Repeat this cycle until all issues have been resolved.
- Don't accept that a fix until you have poof from a pen test that it is fixed!
- Yes developers want a get out of pentest free card
