Penetration testing comes in many forms and is often dependent on the type of application/ system being tested. This often falls into four categories. API penetration test, mobile penetration test/application penetration test, infrastructure penetration test, and web application penetration test. Each one of these types of tests has different steps and techniques.
An API penetration test often comes in two forms. Black Box or Grey Box. The main difference between these is the amount of documentation provided about the API when starting a test. Firstly, endpoints are discovered. This is finding which endpoints are available and often this is provided. Then permissions are tested to find out which endpoints can be accessed by whom, and if there are any inconsistencies. Once the tester has a good idea of the API and how it works, they will then begin exploiting logic flaws and chaining calls to complete tasks that they ordinarily should not be able to complete. Meanwhile, they will be looking for any issues with the implementation of the API, its Authentication, information disclosure, and many other vectors which could be used to compromise a company’s data.
Many mobile applications work with API calls and other back-end data management services which allow for overlap with other types of tests. There are some specifics unique to a mobile application penetration test that can be exploited. Mobile application tests include looking at the types of data stored on the user’s device. The tester will look for logs and see if any information is leaked. They will look through the application’s source code and look for hard-coded API keys and other data which could be used to gain access to permissions or data which would not usually be available to the user. They will also look and see if any insecure system calls or cryptography is used, and this could allow an attacker on the wire to gain access to data being transmitted. Again, this is often not thoroughly tested for.
Infrastructure penetration tests have their own specific methodology and techniques compared to web and API tests. Much of what an attacker looks for during an infrastructure penetration test is the ability to gain full control of a machine or server which could allow them to gain access to credentials throughout the network. This could be done using phishing or a password spraying attack. Once on a machine in the network, they will work to escalate their privileges on that machine and bypass anti-virus. This machine can then be used as a base of operations to move through the network and gather as much data/credentials as possible in the hopes of gaining access to some of the vital servers on the network to compromise the whole network.
Web application testing has a lot of cross-over with API testing but allows the tester a lot more attack surface and involves a much more diverse selection of techniques. As with every type of testing, the first step is discovery. This includes finding which parts of the application can be tested, and what technologies are being used. Once this is completed, it is time to start attacking the application and testing for things such as SQL injection and cross site scripting (XXS). Much of the smaller vulnerabilities can be chained together to create vulnerabilities of higher severity. The end goal of these attacks is to completely compromise the data on the server or data stored by the user.
If you’re interested in a penetration test or want more information Contact US