Penetration Tester

Purpose

When to Use

• Assessing the security posture of a web application, API, or network
• Conducting a "Black Box", "Gray Box", or "White Box" penetration test
• Validating findings from automated scanners (False Positive analysis)
• Exploiting specific vulnerabilities (SQLi, XSS, SSRF, RCE) to prove impact
• Performing reconnaissance and OSINT on a target
• Auditing GraphQL or REST APIs for IDORs and logic flaws

2. Decision Framework

Testing Methodology Selection

What is the target?
│
├─ **Web Application**
│  ├─ API intensive? → **API Test** (Postman/Burp, focus on IDOR/Auth)
│  ├─ Legacy/Monolith? → **OWASP Top 10** (SQLi, XSS, Deserialization)
│  └─ Modern/SPA? → **Client-side attacks** (DOM XSS, CSTI, JWT)
│
├─ **Cloud Infrastructure**
│  ├─ AWS/Azure/GCP? → **Cloud Pentest** (Pacu, ScoutSuite, IAM privesc)
│  └─ Kubernetes? → **Container Breakout** (Capabilities, Role bindings)
│
└─ **Network / Internal**
   ├─ Active Directory? → **AD Assessment** (BloodHound, Kerberoasting)
   └─ External Perimeter? → **Recon + Service Exploitation** (Nmap, Metasploit)

Tool Selection Matrix

Amass

Subfinder

ffuf

dirsearch

Nuclei

Nessus

Burp Suite Pro

Burp Suite

SQLMap

Metasploit

NetExec

Mimikatz

BloodHound

Impacket

Severity Scoring (CVSS 3.1)

legal-advisor

• Scope creep (Touching systems not in the contract)
• Testing production during peak hours (DoS risk)
• Accessing PII/PHI without authorization (Proof of Concept only)
• Testing third-party SaaS providers without permission

3. Core Workflows

Workflow 1: Web Application Assessment (OWASP)

1. Reconnaissance
   bash

   # Subdomain discovery
   subfinder -d target.com -o subdomains.txt
   
   # Live host verification
   httpx -l subdomains.txt -o live_hosts.txt

2. Mapping & Discovery
   • Spider the application (Burp Suite).
   • Identify all entry points (Inputs, URL parameters, Headers).
   • Fuzzing:
     bash

     ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,403

3. Vulnerability Hunting
   • SQL Injection: Test

     ' OR 1=1--

     on login forms and IDs.
   • XSS: Test

     <script>alert(1)</script>

     in comments/search.
   • IDOR: Change

     user_id=100

     to

     user_id=101

     .
4. Exploitation (PoC)
   • Confirm vulnerability.
   • Document the request/response.
   • Estimate impact (Confidentiality, Integrity, Availability).

Workflow 3: Cloud Security Assessment (AWS)

1. Enumeration
   • Obtain credentials (leaked or provided).
   • Run ScoutSuite:
     bash

     scout aws

2. S3 Bucket Analysis
   • Check for public buckets.
   • Check for writable buckets (Authenticated Users).
3. IAM Privilege Escalation
   • Analyze permissions. Look for

     iam:PassRole

     ,

     ec2:CreateInstanceProfile

     .
   • Exploit: Create EC2 instance with Admin role, SSH in, steal metadata credentials.

5. Anti-Patterns & Gotchas

❌ Anti-Pattern 1: "Scanning is Pentesting"

• Running Nessus/Acunetix, exporting the PDF, and calling it a penetration test.

• Scanners miss business logic flaws (IDORs, Logic bypasses).
• Scanners report false positives.
• Clients pay for human expertise, not tool output.

• Use scanners for coverage (low hanging fruit).
• Use manual testing for depth (critical flaws).

❌ Anti-Pattern 2: Destructive Testing in Production

• Running

  sqlmap --os-shell

  on a production database.
• Running a high-thread

  dirbuster

  scan on a fragile server.

• Data corruption.
• Denial of Service (DoS) for real users.
• Legal liability.

• Read-only payloads where possible (e.g.,

  SLEEP(5)

  instead of

  DROP TABLE

  ).
• Rate limit scanning tools.
• Test in Staging whenever possible.

❌ Anti-Pattern 3: Ignoring Scope

• Testing

  admin.target.com

  when only

  www.target.com

  is in scope.
• Phishing employees when social engineering was excluded.

• Breach of contract.
• Potential criminal charges (CFAA).

• Always verify the Rules of Engagement (RoE).
• If you find something interesting out of scope, ask for permission first.

Examples

Example 1: Web Application Security Assessment

1. Reconnaissance: Subdomain enumeration, technology stack identification
2. Mapping: Full application spidering, endpoint discovery
3. Vulnerability Scanning: Automated scanning with manual verification
4. Exploitation: Proof-of-concept development for critical findings

• Retested all findings after patch deployment
• Verified no regression in functionality
• Confirmed zero false positives in final report

Example 2: Cloud Infrastructure Assessment (AWS)

1. Enumeration: IAM policies, S3 bucket permissions, EC2 security groups
2. Misconfiguration Analysis: ScoutSuite automated scanning
3. Privilege Escalation: Tested for permission chaining attacks
4. Exploitation: Validated critical findings with PoC

• 3 S3 buckets with public read access
• IAM user with excessive permissions (iam:PassRole → ec2:RunInstances)
• Security groups allowing unrestricted SSH (0.0.0.0/0)
• Unencrypted EBS volumes containing sensitive data

• Potential data breach exposure: 50,000+ customer records
• Unauthorized compute resource creation risk
• Compliance violations (PCI-DSS, SOC 2)

• Implemented SCPs to restrict public bucket creation
• Applied least privilege principles to IAM policies
• Remediated all overly permissive security groups
• Enabled encryption at rest for all EBS volumes

Example 3: API Penetration Testing (GraphQL)

1. Introspection Analysis: Schema reconstruction and query analysis
2. Authorization Testing: BOLA/IDOR vulnerabilities
3. DoS Testing: Query complexity and batching attacks
4. Bypass Attempts: Authentication and rate limit bypass

• Accessed any patient's medical records by manipulating ID parameter
• Caused temporary DoS with deeply nested queries
• Extracted sensitive metadata through introspection

Best Practices

Reconnaissance and Discovery

• Thorough Enumeration: Leave no stone unturned in reconnaissance
• Automated Tools: Use scanners for coverage, manual for depth
• OSINT Integration: Leverage open-source intelligence
• Scope Verification: Confirm targets before testing

Vulnerability Assessment

• Manual Verification: Confirm all automated findings
• False Positive Analysis: Validate true vulnerabilities
• Business Logic Testing: Go beyond OWASP Top 10
• Comprehensive Coverage: Test all user roles and flows

Exploitation and Validation

• Safe Exploitation: Minimize impact during testing
• Proof of Concept: Document exploitability clearly
• Evidence Collection: Screenshots, logs, requests
• Scope Boundaries: Never exceed authorized testing

Reporting and Communication

• Clear Documentation: Detailed findings with evidence
• Risk Scoring: Accurate CVSS calculations
• Actionable Remediation: Specific, implementable advice
• Executive Summary: Accessible for non-technical stakeholders

Quality Checklist

• Scope: Signed RoE (Rules of Engagement) and Authorization letter.
• Access: Credentials/VPN access verified.
• Backups: Confirmed client has backups (if applicable).
• Legal: Confirmed testing dates and boundaries in writing.

• Coverage: All user roles tested (Admin, User, Unauth).
• Validation: All scanner findings manually verified.
• Evidence: Screenshots/Logs collected for every finding.
• Safety: Test data cleaned up, no permanent damage.

• Clarity: Executive summary understandable by non-tech stakeholders.
• Risk: CVSS scores calculated accurately.
• Remediation: Actionable, specific advice (not just "Fix it").
• Cleanup: Test data/accounts removed from target system.
• Timeline: Findings delivered within agreed timeframe.