Penetration Testing: Methodology, Scope and Types of Pentests

With cybersecurity risks on the rise, it is becoming more and more obvious to carry out a penetration test (pentest) to reassure customers, partners and investors.

Moreover, for companies involved in a certification process (ISO 27001, SOC2, HDS, PCI-DSS, etc.), a penetration test is an imperative. And for others, it is an essential prerequisite for satisfying the pentesting report requests of their customers and prospects.

The aim of this article is to explain the principle of pentests, the objectives, the methodology, the types of tests, the different approaches (black, grey or white box), etc.

What is Penetration Testing (Pentesting)?

A penetration test is an offensive evaluation of the security of an information system (web and mobile applications, infrastructures, networks, connected objects, etc.) or of the human factor (via social engineering), with a dual objective.

On the one hand, penetration tests identify attack vectors, vulnerabilities and control or configuration problems that could compromise the confidentiality, integrity and availability of information and data.

On the other hand, they are designed to enhance the security of a target system by proposing fixes and concrete recommendations for closing breaches or reducing the impact of exploiting identified vulnerabilities and weaknesses.

To do this, a penetration test is carried out by an offensive security expert known as a “pentester”. Often several people are involved in a single project, depending on the scope of the pentest and the targets, and the pentesters use their skills, expertise and imagination to identify the specific weaknesses, vulnerabilities and side-effects of a technical, logical or human vulnerability.

In addition, the methodology of a penetration test is based on security norms, guides and standards such as OWASP (Open Web Application Security Project) or PTES (Penetration Testing Execution Standard), which involve an active, dynamic and static analysis of a target system. Pentesters rely on a variety of manual techniques and automated tools to detect any potential vulnerabilities.

Finally, when performing a pentest on any type of target, 3 approaches are generally considered: black box, grey box and white box tests. These approaches or “test conditions” correspond to the different levels of information provided to the pentesters to carry out an audit on a specific target.

Perform a penetration test with Vaadata

Pentesting and vulnerability testing are distinguished by their respective objectives. Vulnerability tests are based on the use of automatic scanners, which enable common vulnerabilities to be identified quickly. A penetration test, on the other hand, is intrinsically more comprehensive and rooted in the reality of cyber attacks.

A penetration test includes the search for logical flaws, such as rights issues (which account for the majority of vulnerabilities exploited by attackers) and which cannot be detected by automatic tools. In addition, a manual vulnerability exploitation phase is carried out, giving the pentesters the opportunity to measure the concrete impact of a vulnerability in the tested environment and to identify any side-effects.

However, it is important to note that a vulnerability scanner has the advantage of cost and ease of deployment.

For more information on the differences and specificities (advantages and disadvantages) between penetration testing and vulnerability scanning, please refer to our article: What does a penetration test vs a vulnerability scanner bring?

A penetration test enables the security of any IT system to be put to the test by outsourcing the tests to a company specialising in offensive security. Bug bounty platforms serve the same purpose. However, the tests are carried out by independent bug hunters who register on an online platform.

Despite their specificities, these 2 approaches, which are often opposed, coexist and are, in practice, quite complementary because they respond to different levels of maturity. Security test duration and cost, methodology, vulnerability management, pre-sales advice, post security audit follow-up, [etc.] we have listed all the criteria you need to consider when choosing or combining bug bounty and/or pentest to carry out your security tests, in this article: Pentest or bug bounty, which approach should you choose for your security tests?

What Are The Different Types Of Penetration Testing?

A web application penetration test consists of looking for application vulnerabilities as well as flaws linked to the configuration of the infrastructures hosting the services (servers, cloud environments).

On servers or cloud environments, this involves open and poorly secured services, out-of-date software, configuration errors or security elements that can be bypassed.

On the application side, the majority of vulnerabilities are those listed by OWASP (including the top 10: broken access control, injections, cryptographic failures, identification and authentication failures, etc.), logical flaws (often rights issues: IDOR and others), and those relating to the technologies used by developers.

The following are examples of vulnerabilities commonly discovered during web application pentesting:

  • Broken access control
  • Cryptographic failures
  • Injection flaws (XSS, SQL, SSTI, etc.)
  • Insecure design
  • Security misconfiguration
  • Vulnerable and outdated components
  • Identification and authentication failures
  • Software and data integrity failures
  • Lack of logging and monitoring
  • Server-Side Request Forgery (SSRF) vulnerabilities

In addition, all types of platforms and technologies can be tested.

For more information on web penetration testing, please consult our dedicated article. You’ll find more detailed information on the scope of testing, as well as use cases for black box, grey box and white box penetration testing on various targets: Web Application Penetration Testing: Objective, Methodology, Black Box, Grey Box and White Box Tests.

And if you’d like to find out more about common web application vulnerabilities and attacks, we refer you to our article: How to Strengthen the Security of Your Web Applications to Counter the Most Common Attacks?

A mobile application penetration test includes a static analysis and a dynamic analysis of the application, in addition to the tests carried out on the servers and, possibly, the APIs.

On the one hand, static analysis involves extracting elements (meta-information and source code, for example) to carry out reverse engineering attempts. On the other hand, dynamic analysis involves looking for vulnerabilities in the application during use (runtime). In general, in the event of misconfiguration or faulty implementation, it is possible to bypass controls or extract data.

Below are examples of vulnerabilities commonly discovered during pentests of mobile applications:

  • Improper Credential Usage
  • Inadequate Supply Chain Security
  • Insecure Authentication/Authorization
  • Insufficient Input/Output Validation
  • Insecure Communication
  • Inadequate Privacy Controls
  • Insufficient Binary Protections
  • Security Misconfiguration
  • Insecure Data Storage
  • Insufficient Cryptography

For more information on mobile application penetration testing, please consult our dedicated article. In it, we detail the principles, objectives, methodology and elements tested during mobile application penetration tests: Mobile Application Penetration Testing: Objective, Methodology and Testing Scope.

And to find out more about common mobile application vulnerabilities and attacks, we refer you to our article: How to Strengthen the Security of Your Mobile Applications to Counter the Most Common Attacks?

An API penetration test can be carried out independently or integrated into the scope of a web or mobile application penetration test, with vulnerabilities specific to this type of interface.

Below are examples of vulnerabilities commonly discovered during API penetration testing:

  • Broken Object Level Authorization
  • Broken Authentication
  • Unrestricted Resource Consumption
  • Broken Object Property Level Authorization
  • Broken Function Level Authorization
  • Unrestricted Access to Sensitive Business Flows
  • Server Side Request Forgery
  • Security Misconfiguration
  • Improper Inventory Management
  • Mass Assignment

For more information on API penetration testing, please consult our dedicated article. You’ll find more detailed information on the scope of testing, as well as use cases for black box, grey box and white box testing on various targets: API Penetration Testing: Objective, Methodology, Black Box, Grey Box and White Box Tests.

And if you’d like to find out more about common API vulnerabilities and attacks, we refer you to our article: How to strengthen the security of your APIs to counter the most common attacks?

An IoT penetration test looks for vulnerabilities in all layers of the IoT ecosystem: hardware, firmware, communication protocols, servers, web applications and mobile applications.

Below are examples of tests carried out during IoT penetration testing.

On the hardware :

  • Reverse engineering of elements extracted from the device
  • Memory dumps
  • Cryptographic analysis

On firmware :

  • Detection of open and poorly protected communication ports
  • Buffer overflow
  • Password cracking
  • Reverse engineering
  • Cryptographic analysis
  • Firmware modifications
  • Debugging
  • Detection of configuration interfaces or backdoors

On communication protocols:

  • Capture and analysis of multi-protocol radio signals (sniffing)
  • Cryptographic analysis
  • Passive eavesdropping on exchanges
  • Interception and corruption of exchanges
  • Denial of service

For information on web and mobile applications and APIs, please refer to the previous sections.

An internal network penetration test consists of evaluating the security of an internal network from the position of an attacker who manages to penetrate it. The tests cover servers, network equipment, workstations, WI-FI, Active Directory, etc.

Below are examples of vulnerabilities commonly discovered during internal intrusion tests:

  • Network misconfiguration
  • Network segmentation failures
  • Lack of data and communications encryption
  • Poor rights and access management
  • Lack of logging and monitoring

For more information on internal penetration testing, please consult our dedicated article. It details the principles and objectives, as well as use cases for black box and grey box penetration testing of an internal network: Internal Penetration Testing: Objective, Methodology, Black Box and Grey Box Tests.

And to find out more about common network infrastructure vulnerabilities and attacks, we refer you to our article: How to Strengthen the Security of Your Network Infrastructure to counter the Most Common Attacks?

A social engineering penetration test consists of assessing your employees’ reflexes and behaviour in the face of phishing, vishing and smishing attacks, as well as the risks of physical intrusion.

A social engineering pentest can be carried out independently or as part of a technical pentest.

For more information on the different techniques and strategies for defining a social engineering campaign, please consult our white paper.

Social engineering pentest - Download

Approaches and technical conditions for a penetration test: black, grey or white box

A penetration test on any type of target can be carried out using 3 distinct approaches, corresponding to 3 levels of information available to the pentester during the tests: black box, grey box or white box. It should also be noted that a pentest can combine 2 or even 3 approaches to achieve a more “efficient” result, depending on the objectives set.

During black box testing, the pentester puts itself in the position of an external attacker and targets the exposed attack surface.

During grey box testing, the pentester has an “intermediate” level of information about the target system. This may include user accounts with different levels of rights and/or technical documentation.

In white box, the pentester performs the tests with a “maximum” level of information about the target system, including source code, administrator access to the infrastructure and internal technical documentation.

For more details on these 3 approaches, please see our article: Black, Grey or White Box Penetration Test? 3 Options for a Security Audit.

Penetration Testing Methodology

The aim of a penetration test is to methodically test the security of a system, using all the techniques and strategies used by attackers. This type of audit is based on a number of security standards, including OWASP. Generally speaking, a pentest is based on a four-phase methodology, which constitutes an iterative process: reconnaissance, mapping of the target system, discovery and exploitation of vulnerabilities.

But before explaining these 4 phases, let’s take a quick look back at the first step: defining the scope of a pentest.

A pentest is a tailor-made operation. Depending on your objectives – conducting an initial test to assess the security level of a specific target, carrying out exhaustive tests on a web application to obtain a certificate, integrating the risks of social engineering into your security approach, etc. – you will need to define the target perimeter for the tests.

It is therefore possible to define a scope precisely (or not). For example, a black box pentest will involve targeting the IS elements discovered by the pentesters during the reconnaissance phase. A white box web pentest may target all functionalities, or only certain specific features.

For more details on this important stage, we invite you to consult our white paper. It provides valuable information for defining a pentest strategy tailored to your objectives, challenges and constraints.

How to define the scope of a pentest - Download

The reconnaissance phase consists of searching for open-source information about the test target. All information potentially useful to an attacker is gathered, for example: IP addresses, domain and sub-domain names, types and versions of technologies used, third-party components, technical information shared on forums or social networks, data leaks, etc.

The aim of the mapping phase is to list all the target’s functionalities. It enables the pentesters to have better visibility of the most critical and most exposed elements. This stage is particularly essential when the scope of the tests is large.

The discovery is an attack stage. Here, pentesters search for vulnerabilities using manual tests supplemented by automated tools. The aim is to uncover as many vulnerabilities as possible in the target system, then exploit them to discover new ones.

This stage, the very essence of penetration testing, consists of testing possible exploits of identified vulnerabilities. It enables penetration testers to take advantage of certain vulnerabilities to discover new ones. The aim here is to assess the actual impact of the vulnerabilities and therefore their level of criticality.

Pentesting Report

The deliverable issued following a penetration test is a comprehensive report presenting all the vulnerabilities identified (classified by level of criticality: low, medium, high, critical), the possible exploits and recommendations for correction. In addition, the pentester(s) in charge of the audit carry out a debriefing to present the results and discuss the flaws and corrective measures to be implemented.

It is also possible to carry out a counter-audit phase to check that the corrective measures have been properly implemented and that there are no side-effects.

In addition to the pentest report, an executive summary can be issued following a penetration test. This document can be used to present the results of a pentest to “non-technical” profiles. This can be used to demonstrate your security approach to your partners, your management committee or customers.

Why Penetration Testing is Essential?

A penetration test consists of a rigorous exploration of a specific target in order to identify the most critical vulnerabilities. Indeed, a pentest is based on a proven methodology backed up by the pentesters’ manual tests, enabling them to exploit the technical and logical vulnerabilities identified, assess their impact and make recommendations for correction.

Carrying out a penetration test removes barriers during the sales process. Similarly, recurring pentests may be necessary when customers regularly request proof of security. Obtaining a pentest seal or certificate can also make it easier to convert prospects, or reinforce your customers’ confidence in your company.

A pentest is often an essential step in the certification process (ISO27001, SOC2, PCI-DSS, etc.). Carrying out a penetration test enables you to check the effectiveness of the processes and protection in place, with the results guiding corrective action and helping to maintain a solid security posture, thereby ensuring compliance with the standards.

A pentest is a way of raising awareness among teams by putting them into real-life situations. This is the most effective way of demonstrating the importance of security policies. Following technical tests, developers and system administrators will work on implementing corrective measures.

This gives them invaluable knowledge of the potential impact of a vulnerability, and enables them to develop their skills in the area of security. In the same way, following a social engineering pentest, anyone trapped by a phishing e-mail will see their level of vigilance increase.

Perform a Penetration Test with Vaadata, a CREST-approved Company Specialised in Offensive Security

Vaadata is a company specialised in offensive security, supporting all types of organisations with security audits of their systems.

We perform black box, grey box and white box pentesting and cover a wide technical perimeter: web applications and APIs, mobile applications, external infrastructures, internal networks, Active Directory, IoT, social engineering.

In addition, Vaadata is a CREST-approved company, a label issued by an independent non-profit organisation whose mission is to structure the quality approach of companies offering technical cybersecurity services.

We obtained this certification following a rigorous assessment of our processes, methodology and pentester profiles.

Furthermore, all our penetration tests are carried out by our in-house team, based in Lyon. Our pentesters hold certifications that demonstrate our in-depth understanding of all types of vulnerabilities and our skills in exploiting them effectively:

  • BSCP (Burp Suite Certified Practitioner)
  • OSWE (Offensive Security Web Expert)
  • OSCP (Offensive Security Certified Professional)
  • CEH (Certified Ethical Hacker)
  • AWS Certified Solutions Architect – Associate ; AWS Certified Security – Specialty
  • GCP Google Cloud Certified: Professional Cloud Security Engineer
  • CISSP (Certified Information Systems Security Professional)

Contact us to discuss your pentest requirements.

Author: Amin TRAORÉ – CMO @Vaadata