Netsparker Web Application Security Scanner

Penetration Testing - Sample Penetration Testing Test Cases

In previous article we seen about “Estimation Guidelines For Testing“. Today we are concentrating on What is Penetration Testing and sample Test Cases for Penetration Testing?

What is Penetration Testing?
“Penetration Testing is also known as Pen Testing. Pen testing is the practice of testing a web application, computer system, Network to find vulnerabilities that an attacker could exploit.”

It is practical and accredited method to measure the security of an IT infrastructure. By securely trying to exploit application susceptibilities which comprises of Operating system service and application blemishes, inappropriate configurations, and also perilous end-user behavior. This kind of evaluations are also helpful in authenticating the efficiency of defensive methods and also end-users’ adherence to security strategies.
Details about any security susceptibilities collected using Penetration testing need to be characteristically combined and presented network systems managers to perform remedial measures.

Penetration Testing

What Are The Possible Causes Of Vulnerabilities?

  1. Defects that might be caused during design and development phase
  2. Improper system configuration
  3. Human errors


Advantages Of Penetration Testing:

  1. Intelligently take care of susceptibilities
  2. Reduces the cost associated with network down time
  3. Meet regulatory requirements and curb fines
  4. Ability to maintain positive image of the company
  5. Assess network efficiency
  6. Upgrading existing infrastructure might lead to vulnerabilities which can be identified by pen testing.

Automation tools can possibly discern any standard vulnerabilities that are often present in a system. Pen Test tools can be exploited to validate security ambiguities which might be present in an application like data encryption techniques and hard coded values like username and password. At times, these tools may trigger a security issue even if there is no such issue originally.


Qualities Of A Penetration Tester:

  1. Select a suitable set of tools to balance cost and benefits.
  2. Adhere to suitable procedures by adopting proper planning and implementation.
  3. State potential risks and findings clearly in the final report and offer methods to mitigate risks.
  4. Keep oneself updated at all times.


Some Of The Popular Penetration Testing Tools Are:


Penetration Testing Test Cases:

  1. Track data transmitted across wire
  2. Track data stored in file
  3. Check for secret password saved by programmer in a secret file
  4. Check if error page and condition expose any data which might help hacker
  5. Check if binary file consist of any sensitive information
  6. Check URL for sensitive data
  7. Check if internal server contain sensitive information
  8. Check if the application returns more data than it is needed
  9. Check for multi stage elevation
  10. Check for weak discretionary ACL
  11. Check for buffer overflow
  12. Attempt to modify execution flow for instance serial key validation
  13. Try to identify insecure function call for insecure methods
  14. Make an attempt to overflow protocol, server name, file name, query string and file extension
  15. Check for canonicalization attacks like using /,\ to access roots or may be like using environment variable to denote path
  16. Check for DOS attack strategies like changing expected data types, repeat same action over and again, attempt to connect to server concurrently
  17. Check for XML injection attack like crashing XML parser, Xquery injection and XML external entity attack
  18. Check for format string attack
  19. Check for spoofing attack like changing MAC address and IP address
  20. Check for HTML script injection attacks
  21. Check for COM and ActiveX attacks
  22. Check for code disassembling like performing algorithm reversing, analysis of security updates and patching binaries


Different Penetration Testing Types:

COM and ActiveX attacks

ActiveX controls are often triggered on the system when a person performs web browsing and installs specific applications like media player. They are often regarded as a method to stretch browser features to perform actions that browser cannot usually perform through HTML. Therefore, they need to be tested rigorously so other website cannot the controls.

  1. Check for SITELOCK
  2. Check for error Handling mechanism – Tester can identify potential defects that may reveal any relevant information
  3. Check for Overflows

Managed Code Vulnerability

Most of the applications these days still relies upon unmanaged code which is regarded as a serious threat.

  1. Check for UNSAFE block
  2. Check for APTCA assemblies.
  3. Check for Asserts- In most of the cases, an assert can be called using a partially trusted code.

HTML Script Injection attacks

This can occur in either of the two ways:

  1. Cross site scripting
  2. Persisted XSS (script injection)

Common scenarios that penetration tester should look into:

  1. Inject CR/LF – This is often regarded as an usual method which may result in HTTP content splitting attacks.
  2. Javascript:alert() or Vbscript:MsgBox()

Spoofing Attack

Targeting the system stealthily on behalf of a 3rd individual and the hacker maintaining one’s own identity safe is termed as spoofing attack. Hence, spoofing may result in a verdict which is grounded on false details.
Spoofing IP address- In this method IP address is altered to conceal the hacker’s identity
Change MAC address- In this method, the hacker alters the MAC address
Change SMTP message- Hacker can get hold of all email related information

Weak Permissions

  1. Application should be checked properly for time-to-time that permissions are granted only to the right persons.
  2. Check if there is too much access on files and resources- If any individual who does not have enough authorization is allowed to view the resources, it could seriously affect the security of the application.
  3. Check for multistage elevation- Hackers frequently chain numerous susceptibilities to get hold of upper level access.


Over to you:

Have you worked on Penetration Testing if yes then please share your experience in the below comment.

One like on Facebook or a Google + is really appreciated!


Recommended Penetration Testing Books:

26 comments to Penetration Testing – Sample Penetration Testing Test Cases

  • Ram


    • @Ram, @hacker – trying to apply Penetration test cases on our website…

  • hacker

    alert(‘Thanks for sharing all tools details’)

  • Kevin

    The pen testing is one of my favorite type of testing. You presented information in very good manner with a huge list of useful tools. ###This is really appreciated and useful helpful for pen testers like me.

  • Hardcore Tester

    From above penetration testing tool list please distinguish the open source and paid tools. Also can you please recommend any tool?

    Hardcore Tester

  • hacker


  • daniel

    Thanks for sharing penetration testing tools, nice to have such valuable list.

  • Akshat

    I am working in penetration testing from last 3 years and I really appreciated the points are covered in this article.
    Many of the readers are aksing one common question is that which tool should we use for Pen-testing. If you compare windows and linux then linux has tons of tools for penetration testing as compared to windows. Use kali, bugtraq for linux.

  • Syed K

    I never worked on penetration testing however I am very much interested on pen-testing, so could you please share the sample application where I can execute the above list of test suites.

  • Supriya

    Thasks for sharing such a wonderful article.

  • Zaheer

    hello friends, I am working on tesitng web site testing where I want to plan my pen-testing on same website application. Please let me know which tool is best to test the security feature of web app like login, session, cookies etc.

  • Nayana

    thanks stc, I am started learning Penetration testing using this article. Many things are cleared and getting good in depth knowledge from your article. thank you again.

  • Shannu

    You are doing this for Nobel cause. I am thanking you from all freshers for your efforts and doing very good job. Keep posting such nice articles.

  • pradnya

    I want to appear for ISTQB exam, could you please share the steps to apply for ISTQB certification exam?

  • Sanjeev U

    Its very great to sharing valuable information for Pen-Testing. Really its very useful.

  • Supriya

    If I want to say all about article in one word then I can say “Superb…”

  • Lata

    I am looking for good online testing courses for Penetration testing, please suggest the cources.

  • Madan

    Thank you so much STC for this article. The test cases are very good and many more detailed level covered here.

  • Kushal

    The list of cases are nice and detailed and helpful for a tester like me.
    thank you for posting such a useful content.

  • Soeib

    Thanks for the valuable information.

  • Shridhar

    Excellent info, really appreciated your work.
    Great Job !!!

  • Mallikarjun

    Hi STC,
    Simply great article. How you can manage to write such a clear and easy to understand articles, Thanks

  • Jyoti

    Do you have online courses on Penetration testing or etl testing.
    Please share the details.


  • Shriya

    Beautiful cases, simple and really helpful.

  • Saran

    thanks for valuable information

  • Thanks all who appreciated our efforts… It is not possible without valuable readers like you guys.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>