Penetration Testing – Sample Test Cases for Penetration Testing

In previous article we seen about “Estimation Guidelines For Testing“. Today we are concentrating on What is Penetration Testing and sample test cases for Penetration Testing?

What is Penetration Testing?
“Penetration Testing is also known as Pen Testing. Pen testing is the practice of testing a web application, computer system, Network to find vulnerabilities that an attacker could exploit.”

It is practical and accredited method to measure the security of an IT infrastructure. By securely trying to exploit application susceptibilities which comprises of Operating system service and application blemishes, inappropriate configurations, and also perilous end-user behavior. This kind of evaluations are also helpful in authenticating the efficiency of defensive methods and also end-users’ adherence to security strategies.
Details about any security susceptibilities collected using Penetration testing need to be characteristically combined and presented network systems managers to perform remedial measures.

Penetration Testing

What Are The Possible Causes Of Vulnerabilities?

  1. Defects that might be caused during design and development phase
  2. Improper system configuration
  3. Human errors

Advantages Of Penetration Testing:

  1. Intelligently take care of susceptibilities
  2. Reduces the cost associated with network down time
  3. Meet regulatory requirements and curb fines
  4. Ability to maintain positive image of the company
  5. Assess network efficiency
  6. Upgrading existing infrastructure might lead to vulnerabilities which can be identified by pen testing.

Automation tools can possibly discern any standard vulnerabilities that are often present in a system. Pen Test tools can be exploited to validate security ambiguities which might be present in an application like data encryption techniques and hard coded values like username and password. At times, these tools may trigger a security issue even if there is no such issue originally.

Qualities Of A Penetration Tester:

  1. Select a suitable set of tools to balance cost and benefits.
  2. Adhere to suitable procedures by adopting proper planning and implementation.
  3. State potential risks and findings clearly in the final report and offer methods to mitigate risks.
  4. Keep oneself updated at all times.

Some Of The Popular Penetration Testing Tools Are:

Penetration Testing Test Cases:

  1. Track data transmitted across wire
  2. Track data stored in file
  3. Check for secret password saved by programmer in a secret file
  4. Check if error page and condition expose any data which might help hacker
  5. Check if binary file consist of any sensitive information
  6. Check URL for sensitive data
  7. Check if internal server contain sensitive information
  8. Check if the application returns more data than it is needed
  9. Check for multi stage elevation
  10. Check for weak discretionary ACL
  11. Check for buffer overflow
  12. Attempt to modify execution flow for instance serial key validation
  13. Try to identify insecure function call for insecure methods
  14. Make an attempt to overflow protocol, server name, file name, query string and file extension
  15. Check for canonicalization attacks like using /,\ to access roots or may be like using environment variable to denote path
  16. Check for DOS attack strategies like changing expected data types, repeat same action over and again, attempt to connect to server concurrently
  17. Check for XML injection attack like crashing XML parser, Xquery injection and XML external entity attack
  18. Check for format string attack
  19. Check for spoofing attack like changing MAC address and IP address
  20. Check for HTML script injection attacks
  21. Check for COM and ActiveX attacks
  22. Check for code disassembling like performing algorithm reversing, analysis of security updates and patching binaries

Different Penetration Testing Types:

COM and ActiveX attacks

ActiveX controls are often triggered on the system when a person performs web browsing and installs specific applications like media player. They are often regarded as a method to stretch browser features to perform actions that browser cannot usually perform through HTML. Therefore, they need to be tested rigorously so other website cannot the controls.

  1. Check for SITELOCK
  2. Check for error Handling mechanism – Tester can identify potential defects that may reveal any relevant information
  3. Check for Overflows

Managed Code Vulnerability

Most of the applications these days still relies upon unmanaged code which is regarded as a serious threat.

  1. Check for UNSAFE block
  2. Check for APTCA assemblies.
  3. Check for Asserts- In most of the cases, an assert can be called using a partially trusted code.

HTML Script Injection attacks

This can occur in either of the two ways:

  1. Cross site scripting
  2. Persisted XSS (script injection)

Common scenarios that penetration tester should look into:

  1. Inject CR/LF – This is often regarded as an usual method which may result in HTTP content splitting attacks.
  2. Javascript:alert() or Vbscript:MsgBox()

Spoofing Attack

Targeting the system stealthily on behalf of a 3rd individual and the hacker maintaining one’s own identity safe is termed as spoofing attack. Hence, spoofing may result in a verdict which is grounded on false details.
Spoofing IP address- In this method IP address is altered to conceal the hacker’s identity
Change MAC address- In this method, the hacker alters the MAC address
Change SMTP message- Hacker can get hold of all email related information

Weak Permissions

  1. Application should be checked properly for time-to-time that permissions are granted only to the right persons.
  2. Check if there is too much access on files and resources- If any individual who does not have enough authorization is allowed to view the resources, it could seriously affect the security of the application.
  3. Check for multistage elevation- Hackers frequently chain numerous susceptibilities to get hold of upper level access.

Over to you:

Have you worked on Penetration Testing if yes then please share your experience in the below comment.

One like on Facebook or a Google + is really appreciated!

Recommended Penetration Testing Books:


⇓ Subscribe Us ⇓


If you are not regular reader of this website then highly recommends you to Sign up for our free email newsletter!! Sign up just providing your email address below:


 

Check email in your inbox for confirmation to get latest updates Software Testing for free.


  Happy Testing!!!
 

26 thoughts on “Penetration Testing – Sample Test Cases for Penetration Testing”

  1. The pen testing is one of my favorite type of testing. You presented information in very good manner with a huge list of useful tools. ###This is really appreciated and useful helpful for pen testers like me.

    Reply
  2. From above penetration testing tool list please distinguish the open source and paid tools. Also can you please recommend any tool?

    thanks,
    Hardcore Tester

    Reply
  3. I am working in penetration testing from last 3 years and I really appreciated the points are covered in this article.
    Many of the readers are aksing one common question is that which tool should we use for Pen-testing. If you compare windows and linux then linux has tons of tools for penetration testing as compared to windows. Use kali, bugtraq for linux.

    Reply
  4. I never worked on penetration testing however I am very much interested on pen-testing, so could you please share the sample application where I can execute the above list of test suites.

    Reply
  5. hello friends, I am working on tesitng web site testing where I want to plan my pen-testing on same website application. Please let me know which tool is best to test the security feature of web app like login, session, cookies etc.

    Reply
  6. thanks stc, I am started learning Penetration testing using this article. Many things are cleared and getting good in depth knowledge from your article. thank you again.

    Reply
  7. You are doing this for Nobel cause. I am thanking you from all freshers for your efforts and doing very good job. Keep posting such nice articles.

    Reply

Leave a Comment

Share This Post