Update 2-4-3-Pentest.md

julio-cfa · web-flow · commit 57d73cdeecc5 · 2024-06-24T23:00:24.000+02:00
diff --git a/current-version/2-Process/2-4-Operation/2-4-3-Pentest.md b/current-version/2-Process/2-4-Operation/2-4-3-Pentest.md
@@ -1,6 +1,6 @@
 ### Penetration Test
 
-A penetration test, or pen test, is a simulated attack on systems and applications to identify exploitable vulnerabilities. It involves attempting to breach web and mobile applications, APIs, network devices, workstations, servers and more, uncovering issues like SQL injection, code injection, XSS and privilege escalation.
+A penetration test, or pen test, is a simulated attack on systems and applications to identify exploitable vulnerabilities. It involves testing web and mobile applications, APIs, network devices, workstations, servers and more, uncovering issues like SQL injection, code injection, XSS and privilege escalation.
 
 While penetration testers use automated tools for scanning and information gathering, most testing is conducted manually. Manual testing is crucial for detecting vulnerabilities related to business logic and other issues that automated scans might miss.
 
@@ -12,7 +12,7 @@ A penetration test can be approached in three ways: black-box, gray-box, or whit
 
 - **Black-box:** Testers have no prior information about the application, except possibly an IP address or domain.
 - **Gray-box:** Testers are given additional information, such as credentials for test accounts. This approach balances cost and effectiveness, providing deeper insights without the high expense of white-box testing. It should be the preferred approach most of the time.
-- **White-box:** Testers have full access to all available information, including the application's source code.
+- **White-box:** Testers have full access to all information about the asset being tested, including the application's source code.
 
 Regardless of the approach, penetration testers will generally follow publicly-available and/or internal checklists and testing guides. The most popular ones are:
 
@@ -22,14 +22,24 @@ Regardless of the approach, penetration testers will generally follow publicly-a
 - [OWASP Top 10 API](https://owasp.org/API-Security/editions/2023/en/0x11-t10/) - Most common security risks and vulnerabilities for APIs.
 - [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) - A list containing the most common and impactful mobile application security vulnerabilities.
 
+### Tools
+
+There are several tools that can help while performing penetration test against applications. The most common are:
+- [BurpSuite](https://portswigger.net/burp) - A comprehensive software tool used for web application security testing. Key features include a proxy for intercepting and modifying web traffic, a scanner for automated vulnerability detection and tools for performing manual testing, such as repeater, intruder and so forth.
+- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org) - An open-source web proxy similar that has features similar to BurpSuite's.
+- [Postman](https://www.postman.com/) - API testing tool that allows sending various HTTP requests, manipulating headers and automating tests. It helps identify vulnerabilities like authentication issues and data exposure, integrating with other security tools for comprehensive analysis.
+- [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - Automated, open-source tool for security testing and analyzing mobile applications, supporting both Android and iOS platforms.
+
 ### Process Overview
 
 #### Assembling the team
+
 The composition of the penetration testing team is very important. It can either consist of:
 - **Internal:** cybersecurity professionals who understand the organization's systems and policies intimately.
-- **External:** hired for their specialized skills and objectivity, which can bring fresh perspectives and expertise in identifying vulnerabilities that internal teams might overlook.
+- **External:** third-party hired for their specialized skills and objectivity, which can bring fresh perspectives and expertise in identifying vulnerabilities that internal teams might overlook.
 
 #### Defining a scope
+
 After assembling the penetration testing team, the organization must meticulously define the scope of the test. This step is critical to avoid deviations from the planned objectives or unintended testing of additional assets and endpoints. Scope definition entails:
 - Decide between black-box, gray-box, or white-box methodologies.
 - Establish clear timelines for the testing phases.
@@ -38,42 +48,44 @@ After assembling the penetration testing team, the organization must meticulousl
 - Define the requirements - e.g. testing accounts, credentials, documentation, etc.
 
 #### Requirements
+
 Once the scope and dates are defined, the penetration testing team will communicate their requirements to the organization. These may include testing credentials, application documentation, source code access and other necessary resources. It is crucial for the organization to promptly provide all requested information and access before testing begins to ensure a smooth and effective penetration testing process.
 
 #### Execution
+
 After receiving the necessary requirements, such as credentials and documentation, the penetration testing team will begin assessing the system or application. It is crucial for the penetration testing team to:
 
 - Notify the organization immediately if their tests cause any disruption to a system, especially if it is in production, to mitigate potential impacts on business operations.
 - Report any critical vulnerabilities discovered promptly to the organization, as these could have significant financial and/or reputational consequences, allowing for swift remediation and risk management.
-- If the penetration testing team finds any indicators of compromise (IoC) that an incident may have happened, they must notify the organizatio immediately.
-
+- If the penetration testing team finds any indicators of compromise (IoC) that an incident may have happened, they must notify the organization immediately.
 
 #### Reporting
+
 Upon completing all tests, the penetration testing team will begin compiling a comprehensive report. This report should be structured as follows:
 
 - Cover
 - Table of Contents
+- Executive Summary
 - General Information
   - Penetration Testing Team
   - Methodology
-  - Scope 
-- Executive Summary
+  - Scope
 - Vulnerabilities
   - Title
   - Severity
   - Description
+  - Proof of Concept (with screenshots)
   - Impact
   - Mitigation
   - References
 - Conclusion
 
-### Tools
-There are several tools that can help while performing penetration test against applications. The most common are:
-- [BurpSuite](https://portswigger.net/burp) - A comprehensive software tool used for web application security testing. Key features include a proxy for intercepting and modifying web traffic, a scanner for automated vulnerability detection and tools for performing manual testing, such as repeater, intruder and so forth.
-- [OWASP ZAP](https://www.zaproxy.org) - An open-source web proxy similar that has features similar to BurpSuite's.
-- [Postman](https://www.postman.com/) - API testing tool that allows sending various HTTP requests, manipulating headers and automating tests. It helps identify vulnerabilities like authentication issues and data exposure, integrating with other security tools for comprehensive analysis.
-- [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - Automated, open-source tool for security testing and analyzing mobile applications, supporting both Android and iOS platforms.
+#### Retesting
+
+Lastly, after delivering the report and initiating the vulnerability management process, the penetration testing team will retest all vulnerabilities that developers consider fixed. This retesting ensures that each vulnerability has been successfully addressed and that no bypasses to the newly implemented security controls exist.
 
 ### References
+
+- [Awesome Penetration Testing](https://github.com/enaqx/awesome-pentest)
 - [OWASP Penetration Testing Methodologies](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies)
 - [The Penetration Testing Execution Standard (PTES)](http://www.pentest-standard.org/index.php/Main_Page)
