Penetration testing (pentest) of the website

A modern website is a system with a complex architecture, typically containing around 20 vulnerabilities that can be exploited by attackers. 62% of websites are susceptible to vulnerabilities with medium or high risk levels.

On a corporate website or a government agency site, it is essential to ensure protection against the distortion, destruction of publicly available information, or blocking access to it. To prevent such illegal actions, websites must be regularly analyzed for security and defenses must be monitored. After all, virtually any web service is an open window to the systems of organizations. Monitoring the security of government websites, GIS operators, and critical information infrastructure is mandatory.

The aim of penetration testing is to compile a list of vulnerabilities that an attacker could exploit and to verify the feasibility of their implementation.

Actions to be taken include:

• information gathering and initial analysis;
• configuration testing;
• authentication system testing;
• authorization mechanism testing;
• session management mechanism testing;
• verification of alternative access control methods;
• transport layer security testing;
• data handling testing;
• client-side security mechanism testing.

The complete list of tasks depends on the initial data and the requirements for the pentest.

Execution Options

Black box – the pentester has a general understanding of the target from open sources. Simulates the actions of attackers.

Gray box – the pentester possesses knowledge about the target. The level and depth of this knowledge are determined by the client. Simulates the actions of attackers.

White box – the pentester has administrator access and has a complete understanding of the attack infrastructure. Simulates the actions of attackers.

Work Stages

Information Gathering — collecting data about the client from open sources and access levels of employees.

Technical Base Search — defining and gathering data about technical and software resources.

Vulnerability and Threat Analysis — identifying vulnerabilities in security systems and software using specialized programs and utilities.

Data Exploitation and Processing — simulating a real attack by attackers to gain information about existing vulnerabilities for further analysis, as well as gathering data on possible system breach timelines and calculating economic risks.

Report Generation — the result of the pentest will be a list of identified vulnerabilities, configuration errors in security measures with detailed descriptions of causes, probabilities, and consequences of exploitation, a criticality assessment, estimated economic losses, and recommendations for remediation.