PENETRATION TESTING EXECUTION STANDARD METHODOLOGY
PTES Web Application Methodology, includes 7 steps
- Pre-engagement
- Information Gathering
- Threat Modelling
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Reporting
Pre-Engagement: Most important steps in the penetration process, though this phase does not include any practical testing, but forms the base for the overall engagement. This phase includes
- Defining the Scope & Out of Scope
- Testing Schedule/Window
- Type of Testing
- Contacts
- Approvals
Information-Gathering: In this phase we employ OSINT techniques to gather publicly available information, without probing the target directly, which is known as passive information gathering. Followed by active information gathering, in which we directly probe the target to collect information about the ports, services and O/S.
Threat Modelling: In this phase we build a complete profile of the target using the information gathered. Identify the type of threats both internal and external the affect the target in scope.
Vulnerability Analysis: We scan the target in scope using a web vulnerability-scanner, though these scanners are automated, we need to configure the scope, the limit of scan and out of scope (both in terms of application and vulnerabilities). The scanner crawls the application look for injection, authentication, authorisation, security mis-configuration and other issues. Once the scanning is complete, the scanner provides a user-friendly report with the findings.
Exploitation & Post-Exploitation: This phase includes the validation of finding from the scan report and information gathering phase. We attack the target, remove the false positives and take POC for the real vulnerabilities. We calculate the risk rating using CVSS scoring system and prioritise the vulnerabilities
Reporting: The report includes overall finding, which are well documented. The first few pages should describe the overall summary, followed by detail findings which includes the real issue, impact, POC, steps to reproduce, mitigation steps and CVSS score
