Penetration testing is a mechanism provided to demonstrate that network defenses are functioning as intended. It is also a way to test applications, networks, and computer systems to identify security vulnerabilities that may be exploited and prevent unauthorized access, alteration, and exploitation of systems. So what does the penetration test procedure involve? The following is a detailed introduction.
Penetration testing must follow the basic process of software testing. It is important to know that the testing process and target are special, and the specific implementation steps mainly include the following steps:
- Define your goals
When the tester gets the project that needs to do penetration test, first determine the test requirements, such as whether the test is for the business logic vulnerability, or for the personnel management authority vulnerability, etc.; Then determine the penetration test scope required by the customer, such as ip segment, domain name, whole site penetration or partial module penetration, etc. Finally, determine the penetration test rules, such as to what extent can be penetrated, whether to determine the vulnerability or continue to use the vulnerability for further testing, whether to allow data destruction, whether to improve the authority, etc.
- Collect information
In the information gathering phase, try to collect all kinds of information about the project software. For example, for a Web application, you might want to collect script types, server types, database types, frameworks used by the project, open source software, and so on. Information collection is very important for penetration testing, as long as we have enough information about the target program, we can carry out better vulnerability detection.
There are two information collection methods: active collection and passive collection.
- Scan for vulnerabilities
At this stage, the collected information is comprehensively analyzed and the target program is scanned with the help of scanning tools to find the existing security vulnerabilities.
- Verify vulnerabilities
In the vulnerability scanning phase, testers will get a lot of security vulnerabilities about the target program, but these vulnerabilities are false positives, testers need to build a simulation test environment based on the actual situation to verify these security vulnerabilities. Only when a security flaw is identified can it be exploited to execute an attack.
- Analyze the information
Verified security vulnerabilities can be used to launch attacks on the target program, but different security vulnerabilities, attack mechanisms are different, for different security vulnerabilities need to be further analyzed, develop a detailed attack plan, so as to ensure the smooth execution of the test.
- Infiltration attacks
Penetration attack is actually a real attack on the target program, in order to achieve the purpose of testing, such as obtaining the user account password, intercepting the target program transmission data, etc. Penetration tests are one-time tests that enable cleanup after an attack is complete.
- Organize information
After the penetration attack is completed, the information obtained by the attack is sorted out to provide a basis for the subsequent compilation of test reports.
- Write reports
After the completion of the test, a report should be prepared to describe the project security test objectives, information collection methods, vulnerability scanning tools and vulnerability conditions, attack plans, actual attack results, etc. In addition, the vulnerability of the target program should be analyzed to provide safe and effective solutions.