A penetration test (often shortened to “pentest”) is an authorized simulated attack on systems, services, applications, and other assets to evaluate the attack surface and security controls. Penetration testers use the same techniques and tools as real attackers to identify vulnerabilities and demonstrate their potential impact.

The primary difference between vulnerability scanning and penetration testing is the manual aspect. While penetration testers use tools to automate parts of their work, they rely heavily on manual analysis and the exploitation of their targets.

Methodology

There are several methodologies that can be followed, especially when talking about different types of assessments of different types of technologies - e.g. a web application penetration test will be different from a cloud penetration test.

However, regardless of the type of penetration test, we can summarize the process into the following steps:

Open

Scope Definition

During this step, we will define what is the scope of our penetration test - i.e. which assets will be tested, what is the environment that will be used (e.g. production, staging, our own environment, etc.), who will be involved in the test, dates, and so on. The scope definition phase will likely involve the owner, a product manager, and perhaps developers of the asset being tested. Once the scope is defined, the penetration test can start.

Information Gathering

Once the penetration test has started, the testers will collect information about the assets in scope. This can be done in a passive and/or active manner.

By passive information gathering we mean that the testers won’t interact will the asset directly. Rather, they will collect information from different sources. For example, a tester can use crt.sh | Certificate Search to look for TLS certificates for a given domain and find subdomains related to it.

By active information gathering we mean that the testers will be interacting with the in-scope asset. As an example, a tester can use tools such as Nmap to scan the asset’s IP for open ports and try to identify running services.

The information collected during this phase will be used later to help testers better exploit existing vulnerabilities.

Exploitation

Once information has been gathered, penetration testers will try to exploit common vulnerabilities. In a web app penetration test, it can be a known CVE, it can be Cross-Site Scripting (XSS), SQL Injection (SQLi), Broken Access Control, and so forth. If the exploitation succeeds, they will create a proof-of-concept (PoC) to be added to the report.

Report

After all vulnerabilities have been identified and/or exploited, the penetration testers will write a report containing everything that has happened in the assessment - since the scope definition phase to the exploitation of vulnerabilities. At Rocket.Chat, the following template can be used: https://docs.google.com/document/d/18VVxWdmAUd5PnhS-08jxvHV3r3HsyR1Zqc9XPZwMp1Q/edit?tab=t.0.

Remediation

The vulnerabilities contained in the report will then undergo the vulnerability management process and will be fixed by either a software engineer or a security engineer. You can read more about our process at Vulnerability Management Process.

Web Application Pentesting

Web application penetration testing, as the name says, is the process of testing web applications in order to identify vulnerabilities that could be exploited by real attackers. At Rocket.Chat, the following references will be used when performing web app pentesting:

• https://owasp.org/www-project-top-ten/

• https://owasp.org/www-project-web-security-testing-guide/

• https://owasp.org/www-project-application-security-verification-standard/

An example of a penetration test report by RadicallyOpenSecurity (ROS) can be seen here: ros-website/ros-public-reports/ROS - OTF - Hypha - 2021.pdf at main · radicallyopensecurity/ros-website .

API Pentesting

API pentesting aims at finding vulnerabilities that are specific to GraphQL, SOAP, and REST APIs. At Rocket.Chat, the following references will be used when performing API pentesting:

• https://owasp.org/API-Security/

Mobile Pentesting

Mobile pentesting aims at finding vulnerabilities specific to Android and iOS applications. To a certain extent, it also involves web app and API pentesting. The difference is that mobile pentesting will also encompass client-side vulnerabilities specific to the aforementioned operating systems. At Rocket.Chat, the following references will be used when performing mobile pentesting:

• https://owasp.org/www-project-mobile-top-10/

• https://mas.owasp.org/MASVS/

• https://mas.owasp.org/MASTG/

Cloud Pentesting

Cloud pentesting involves everything cloud-related - that can be our CSP (AWS, for example), Kubernetes, Docker, and so forth. At Rocket.Chat, the following references will be used when performing cloud pentesting:

• https://owasp.org/www-project-cloud-native-application-security-top-10/

• https://owasp.org/www-project-docker-top-10/

• https://owasp.org/www-project-kubernetes-top-ten/

• https://kubenomicon.com/

• Tactics - Threat Matrix for Kubernetes

• https://hackingthe.cloud/

AI Pentesting

A new field of penetration test has recently been created: that of AI-powered application and LLMs. At Rocket.Chat, the following references will be used when performing AI pentesting:

• https://genai.owasp.org/llm-top-10/

• https://genai.owasp.org/resource/llm-applications-cybersecurity-and-governance-checklist-english/

An example of AI testing can be seen in one of our reports: https://docs.google.com/document/d/1pZFGuYNYMBADq6eqbxQ9M6RN_Ullw619bnB12GF4iBI/edit?tab=t.0.