Penetration Testing main flow
Clear requirements phase:
And customers to communicate, to do the degree of penetration testing? Why do penetration testing? Do penetration testing requires attention to what taboo? What customers are mainly business? What most concerned about? Test range, which can be measured, which can not be measured? A good test to determine the time and place of meeting people and so on? Jail free (a good discussion of the responsibility for the accident bear)?
Information gathering phase:
Collect all publicly available information and analysis,
check the website IP? Site operating system? Scripting language? On the server there are no other sites?
Threat Modeling stages:
According to the information collected to develop all kinds of destruction programs, such as billing software you are doing, then we will try to steal customers to develop and actually tested the software source code, if the source code is open, the business will collapse.
Vulnerability analysis phase:
According to information gathered to guess the possible vulnerabilities? According tools and add personal analysis to find possible vulnerabilities?
Vulnerability verification phase:
For the first two vulnerabilities verified by their professional knowledge?
Depth attack phase:
Extended destruction according to find loopholes, loopholes enlarge harmful nature? You might break a client user's password is not cold, but you will be very concerned about the use of crack users to log on to the system to steal all the information and destroy important documents found in order to achieve the destruction of the system.
Written report stage:
Records documenting the penetration testing times
