Pentesting: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
(→Tools) |
||
| (40 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Cybersecurity]] > Pentesting | |||
= Process = | |||
Based on the PDCA cycle | |||
== Plan == | |||
Gather documentation for the test | |||
* Document what '''should''' be their and it's purpose. | |||
:* Open ports | |||
:* API endpoints | |||
:* Outbound connections | |||
This established a known baseline for the system. | |||
== Do == | |||
Setup an environment for the test. | |||
* This should be a copy of production. | |||
* This must be isolated from all other instances. Must be on it's own subnet. | |||
* This '''must not''' contain production data. | |||
* provide the tester will full access to this network - normally done using a jump box. | |||
finally: | |||
* perform the test | |||
== Check == | |||
* Review the test results | |||
Are they valid: | |||
* Where all systems scanned. | |||
* Where all ports scanned. | |||
Document: | |||
* Document the test results | |||
== Act == | |||
For each finding: | |||
===Patch the code=== | |||
:* If you own the code - Change the code. | |||
:* If the code is in the supply chain: | |||
::* Find a patch / revised version | |||
===Mitigate the problem=== | |||
:* Remove the component or feature | |||
:* Place the component behind something so it cannot be reached. | |||
===Cannot fix, assess the risk=== | |||
:* What is the impact of this vulnerability. | |||
:* If it is exploited what could happen: | |||
::* Consider the CIA triad in risk analysis. | |||
::* How does the CIA triad impact the business? | |||
[[Assessing Risk|📖More about risk]] | |||
== Repeat == | |||
Repeat this cycle until all issues have been resolved. | |||
* Don't accept that a fix until you have poof from a pen test that it is fixed! | |||
:* Yes developers want a ''get out of pentest free'' card | |||
= Tools = | |||
[[ZAP Proxy]] | |||
[[Nmap]] | [[Nmap]] | ||
[[Scanning web servers]] | [[Scanning web servers]] | ||
[[BURP Suite]] | |||
[[CURL]] | |||
= More Information = | |||
[https://www.cobalt.io/blog/a-pentesters-guide-to-cross-site-scripting-xss Common XSS tactics] | |||
[https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html XSS Filter Evasion Cheat Sheet] | |||
Latest revision as of 17:31, 5 December 2025
Cybersecurity > Pentesting
Process
Based on the PDCA cycle
Plan
Gather documentation for the test
- Document what should be their and it's purpose.
- Open ports
- API endpoints
- Outbound connections
This established a known baseline for the system.
Do
Setup an environment for the test.
- This should be a copy of production.
- This must be isolated from all other instances. Must be on it's own subnet.
- This must not contain production data.
- provide the tester will full access to this network - normally done using a jump box.
finally:
- perform the test
Check
- Review the test results
Are they valid:
- Where all systems scanned.
- Where all ports scanned.
Document:
- Document the test results
Act
For each finding:
Patch the code
- If you own the code - Change the code.
- If the code is in the supply chain:
- Find a patch / revised version
Mitigate the problem
- Remove the component or feature
- Place the component behind something so it cannot be reached.
Cannot fix, assess the risk
- What is the impact of this vulnerability.
- If it is exploited what could happen:
- Consider the CIA triad in risk analysis.
- How does the CIA triad impact the business?
Repeat
Repeat this cycle until all issues have been resolved.
- Don't accept that a fix until you have poof from a pen test that it is fixed!
- Yes developers want a get out of pentest free card
