Cybersecurity > Pentesting

Process

Based on the PDCA cycle

Plan

Gather documentation for the test

• Document what should be their and it's purpose.

• Open ports

• API endpoints

• Outbound connections

This established a known baseline for the system.

Do

Setup an environment for the test.

• This should be a copy of production.

• This must be isolated from all other instances. Must be on it's own subnet.

• This must not contain production data.

• provide the tester will full access to this network - normally done using a jump box.

finally:

• perform the test

Check

• Review the test results

Are they valid:

• Where all systems scanned.

• Where all ports scanned.

Document:

• Document the test results

Act

For each finding:

Patch the code

• If you own the code - Change the code.

• If the code is in the supply chain:

• Find a patch / revised version

Mitigate the problem

• Remove the component or feature

• Place the component behind something so it cannot be reached.

Cannot fix, assess the risk

• What is the impact of this vulnerability.

• If it is exploited what could happen:

• Consider the CIA triad in risk analysis.

• How does the CIA triad impact the business?

📖More about risk

Repeat

Repeat this cycle until all issues have been resolved.

• Don't accept that a fix until you have poof from a pen test that it is fixed!

• Yes developers want a get out of pentest free card

Tools

ZAP Proxy

Nmap

Scanning web servers

BURP Suite

CURL

More Information

Common XSS tactics

XSS Filter Evasion Cheat Sheet