Penetration Testing

What Is Penetration Testing

Penetration testing (pen testing) is a practical security assessment method that attempts to infiltrate systems and networks using the same techniques as real attackers to discover security weaknesses.

The purpose of penetration testing is to identify actual attack paths that cannot be found through theoretical assessments, and to verify how effective an organization's security measures are against real attacks. It demonstrates how individual vulnerabilities detected through vulnerability management can chain together to lead to a breach.

The scope of testing spans web applications, network infrastructure, mobile apps, cloud environments, physical security, and social engineering. The test targets and scope must be clearly agreed upon and defined in writing beforehand.

Test Types and Execution Process

Penetration tests are classified into three types based on the amount of prior information given to the tester.

Black Box Testing: No prior information is given to the tester, who attempts infiltration under the same conditions as an external attacker. This is closest to a real attack scenario but requires more time and cost.

White Box Testing: Internal information such as source code, network diagrams, and credentials is provided to the tester. This enables efficient discovery of deep vulnerabilities but weakens the external attacker's perspective.

Gray Box Testing: An intermediate approach where limited information (such as a regular user account) is provided. This is the most balanced and commonly adopted approach in practice.

The execution process follows PTES (Penetration Testing Execution Standard): (1) pre-engagement and scope definition, (2) intelligence gathering (reconnaissance), (3) vulnerability identification, (4) exploitation, (5) privilege escalation and lateral movement, and (6) report writing.

Key Attack Techniques and Commonly Found Vulnerabilities

Here are representative attack techniques used in penetration testing and frequently discovered vulnerabilities.

Web Applications: Major attack targets include Cross-Site Scripting (XSS), SQL Injection, authentication and authorization flaws, CSRF, SSRF, and insecure deserialization. The OWASP Top 10 serves as a comprehensive reference list.

Network: Tests verify unnecessary open ports, use of outdated protocols, default credentials left unchanged, unencrypted communications, and network segmentation deficiencies.

Authentication and Authorization: Tests verify weak password policies, lack of multi-factor authentication, privilege escalation possibilities, and session management flaws.

Social Engineering: Techniques that exploit human psychological weaknesses, such as sending phishing emails, phone-based information extraction, and physical intrusion testing. These make visible the threats that technical measures alone cannot prevent.

While discovering zero-day attacks is rare, finding unexpected attack paths through combinations of known vulnerabilities is not uncommon.

Leveraging Test Results and Practical Considerations

A penetration testing report includes a list of discovered vulnerabilities, risk assessments (CVSS scores, etc.), detailed attack paths, reproduction steps, and recommended countermeasures.

The response after receiving the report is the most important part. Prioritize discovered vulnerabilities by severity and develop a remediation plan. After remediation, conduct a retest to confirm that vulnerabilities have been definitively resolved.

Practical considerations:

• Clearly agree on the test scope and prohibited actions in writing. Attacking systems outside the scope can lead to legal issues
• When testing in production environments, consider the risk of service disruption and conduct tests during low-impact time windows
• In cloud environments, review the cloud provider's penetration testing policy in advance (AWS does not require prior approval, but certain attack techniques are prohibited)
• Including WAF effectiveness verification in the test scope helps confirm the actual effectiveness of defenses

Penetration testing is recommended at least once a year or after major system changes.

To learn more about this topic, see API Security Basics: Protecting the Backend of Web Services.

Common Misconceptions

Vulnerability scanning and penetration testing are the same thing

Vulnerability scanning uses automated tools to comprehensively scan for known vulnerabilities, efficiently covering a wide range. Penetration testing involves human testers who actually attempt infiltration, demonstrating vulnerability chains and attack paths. The two are complementary: scan broadly with vulnerability scanning and verify deeply with penetration testing.

If a system passes a penetration test, it is secure

Penetration tests are conducted within limited time and scope, so they cannot discover all vulnerabilities. They are merely a snapshot of the security state at the time of testing, and new vulnerabilities are discovered daily. Continuous vulnerability management and regular repeated testing are necessary.

Penetration Testing vs. Vulnerability Scanning

Related Terms

Related Articles