This article is primarily for companies that wish to know what penetration testing is and we have covered its types, stages and tools as well for the benefit of these companies. The list below contains all the information to be provided in the post.
What is penetration testing or pen testing?
Penetration testing, commonly known as a pen test, is a consensual cyber attack against a company’s system or software in a simulated environment in order to check for vulnerabilities in their security infrastructure that outsiders might be able to exploit.
A pen test is an intrinsic and part of the web application security and can strengthen the Web Application Firewall (WEF) to its core. This is why it is more important to understand penetration testing than to define it.
Pen tests can involve scaled and planned attacks to breach application systems such as application protocol interfaces (APIs), frontend and backend servers, etc to uncover vulnerabilities that might be susceptible to dangerous cyberattacks such as code injections.
The insights provided by the penetration test teams can be used to fine-tune the company’s firewall security policies and to patch those vulnerabilities on time.
What happens if you do not get a pen test done?
Web security is a serious thing, especially if you own or are a part of an application that deals with money online directly or indirectly.
Your customers and clients use your app and your services because they choose to trust you. The problem with cyberattack is that it hits you when you’re least expecting it (because they are planned attack by people without a moral or ethical code). Customers will usually forgive but they don’t forget and all of us are generally quite insecure when it comes to money.
Let me show you some real-life examples of cyberattacks that have put some of the major companies to shame not because these attacks happened but simply because they could have been easily avoided.:
Make My Trip and eCommerce mobile application for price manipulation.
As you can see the due amount for the payment is Rs 4495/- which is to be paid via a certain bank’s debit card. But look at the image shown below:
At the payment gateway, the hacker could tamper with the data to make the order amount to Rs 1/- and he had to pay only a rupee to sanction payment of Rs 4495.
This image shows how the final bill/screen shows that the hacker paid the full amount when in reality, they only had to pay one rupee. ONE RUPEE! Can you imagine?
What if 10 other people did the same thing in a day? And that this went on to happen for a month? You know the math…
If you think that this can only happen to fixed price billing system then here’s another example for you.
Coning Adobe’s monthly plan to get free products:
This is a screenshot of the original pricing model of Photoshop CC subscription package. The All apps subscription is priced at LE 599 i.e 599 Egyptian Pounds and the single app at LE 260.
The hacker has selected the single app subscription for LE 260. But the hacker decodes the payment flow:
In the second image, he has quite easily changed the ‘amount’ data from 260.00 to 000.00, encoded it back and resumed the payment flow. As a result, what happens? Yes, they get the Adobe Photoshop subscription for free!
The hacker gets to use Adobe Photoshop as long as they want to and that too for free and the mice get to party with their crumbs of cheese while the cat is unaware!
This can happen to any website, be it eCommerce or banking or even food or grocery ordering services and it’s always better to be safe than sorry. So, let’s get to the next part where we will learn about the pen test in detail.
How is penetration testing executed?
A pen test usually begins with observation and critical examination where an ethical hacker gathers all the information and data required to plan their simulated cyberattack.
When they are ready with the plan, they use specialized tools that would help them gain access to the company’s system. These tools are usually designed to produce brute- force attacks or SQL injections. These tools are specially designed for the purpose of testing. The ones doing this job are called ethical hackers for the very same reason why the word ‘ethical’ is used as a suffix.
If you haven’t understood then it’s absolutely alright.
Stages of Penetration testing
1. Investigation and Planning
This is where the ethical hacker:
- Defines their goals, including the systems to be addressed and the testing methods to be used.
- Gathering data (e.g., network and domain names, mail server) to better understand how the app or the system works.
- Based on the potential vulnerabilities found out during the investigation the hacker plans their next strategies and tools to be used.
The execution begins and now it’s time to see how the target application/system will respond to various intrusion attempts. This is typically done using:
- Static analysis, where an app’s code is inspected to estimate the way it behaves while running. The tools used can scan the entirety of the code in a single pass.
- Dynamic analysis is where an app’s code is inspected in a running state. This is a more practical way of scanning an app, as it provides a real-time view of the app’s performance.
3. Gaining Access
This stage uses web application attacks to uncover an app’s vulnerabilities. Testers then try and exploit these vulnerabilities, usually by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
4. Maintaining access
The aim here is to see if the vulnerability can be used to achieve a continued presence in the exploited system— long enough for the hacker to gain in-depth access in order to steal an organization’s most sensitive data.
The results derived from the abovementioned processes of the penetration test are then compiled into a report detailing:
- Specific vulnerabilities within the system that were exploited
- Sensitive data that was accessed from the system
- The amount of time the penetration tester was able to remain in the system undetected
Types of pen tests
- Internal pen test
In an internal test, the ethical hacker/ pen tester performs the test from the company’s internal network to check how much damage an internal attack can cause to and from the company’s firewall.
If your company has any disgruntled employees, you better get this test done.
- External pen test
In an external test, the ethical hacker/pen tester checks and attacks all the websites, apps and other external servers. This is almost similar to the hacking that is usually depicted in movies where the hacker does not have to enter into the building and does all the hacking by sitting inside a minivan inside the parking lot of the vehicle.
- White box pen test
In a white box test, the pen tester hacks into the company’s system using the security information provided by the company.
- Black box pen test aka the blind test
A blind test is where the pen tester is provided with little to no background information about the company before testing.
- Covert pen test aka double-blind pen test
Just as the name suggests, the ethical hacker does this testing with full discretion to an extent that almost no one in the company is aware of the test including the IT and security professionals who usually respond to such attacks. These kinds of tests are usually conducted after an agreement in writing in order to avoid any legal troubles.
Things to keep in mind while finding the right tester
Yes, it is easy to find ethical hackers over the internet but there are certain things you need to keep in mind before you hire someone to do the job.
Always hire someone who is completely new or unaware of how your system works. This way they will try their best to try and crack open your firewalls.
Hiring them will also help you in finding out the blind spots missed by the developers who built your system.
Experienced ethical hackers are basically developers who hold advanced degrees and certifications in carrying out various kinds of penetration testing.
Hence, ask for them to provide their certifications.
There are quite a number of reformed hackers as well who are self-taught experts and wish to practise ethical hacking.
As much as one would be scared to hire them, they can be even more useful than the others. Not trusting them based on their past life would be bad.
Instead, ask them about their past experiences and client testimonials to ease your mind and find a better professional.
Most importantly, do not believe anyone without making a background check. The process is important and cannot be sidelined. But you shouldn’t do it at the cost of your app’s security.
Tools to use for a successful pen test execution
Port scanner tools are typically used to gather information and data about the target company in a remote network environment.
The Vulnerability Scanner
The vulnerability scanner tries to find any known vulnerabilities on the targeted system. The difference between the Port Scanner and this is that it only keeps track of the services that are on each port.
The Application Scanner
The app scanner tool checks out for any kind of security vulnerabilities in web-based applications such as eCommerce and fintech sites.
The Web Application Assessment Proxy
The web app assessment proxy tool is placed in between the web browser of the ethical hacker and the company’s web server in order to examine all of the information and data flow between the two.
The information shared through this article is to help you understand what the pen tester/ethical hacker that you have hired is doing so that you always stay aware and ahead of the game.
They will provide you with all the information that you can use to upgrade your app’s security by eliminating all the vulnerabilities that others can exploit.
Stay safe, folks!