Penetration test phases

When you run a penetration test of a web application, you can generalize several steps. Each of them is characterized by the use of different tools and the same result obtained. It can also be noted that individual phases do not always occur closely after each other. Most often, however, results obtained from one stage are often inputs for the next stage. The graph below shows the extracted phases of the penetration test: The first phase of the web application penetration test is mainly to gather as much information as possible about the web application being attacked. Anyone, even at first, who seems trivial, can be crucial in finding and exploiting potential errors. This will mainly include information about the technologies used, network identification and the operating system. The next phase focuses on discovering the entire application, learning its logic and all the functionalities. This is necessary to correctly evaluate and distinguish security errors from the correct and expected results of the application. Next is the phase of finding potential errors. This is done by performing various types of tests. This allows you to determine whether a given application functionality can be used in a dangerous way. The phase of exploiting the errors found continues. It is here that the penetration tester prepares the attack vector for any profit – e.g. by obtaining sensitive information. Depending on the results obtained, the attacker assesses the criticality of the vulnerability detected. The last and most important from the customer's point of view is the phase of accurately documenting the detected vulnerabilities and preparing a report on the conducted studies. The prepared document should be written in a universal language that is understandable to both technical and managerial staff. To make difficult decisions easier, describe the vulnerabilities detected in a way that shows the impact on your business.