The main steps of a penetration testing

Nowadays, many companies engage penetration testings services to find vulnerabilities on their systems and to improve their security profile.

There are different technologies and challenges during the penetration testings and they range between new web applications to relatively outdated systems. Most of known vulnerabilities such as SQL injections, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML injections, Security Misconfiguration and Path Traversal are usually found during a penetration testing.

Firstly, it is recommended to understand the scope of work and the business objectives prior to the penetration testing.

The second step is to perform a vulnerability assessment. This step includes a preparation of test cases and executing them for each element in the scope. In fact, vulnerability assessment can be manual and automated to find more holes in IT systems. Here is an example of two popular automated penetration testing tools - Metasploit and Burp Suite.

For example, metasploit is an open source framework created by H D Moore. It is written entirely in Ruby, and contains a comprehensive range of exploits and payloads required for testing vulnerability of a remote system. Metasploit can be used for both legitimate as well as unauthorised activities.


The basic steps for exploiting a system using the Metasploit Framework include:

  1. Choosing and configuring an exploit for a specific target. Metasploit has over 300 exploits for various operating systems.

  2. Checking whether the intended target system is vulnerable to the chosen exploit.

  3. Choosing and configuring a payload. A payload is essentially code that will be executed once the targeted system gets compromised — for example, remote shell.

  4. Executing the exploit.

There are several other options available for advanced exploiting. Metasploit also helps in testing and developing of exploits.

Another good example is Burp suite which is a web application testing framework used by security professionals or web developers to identify attack vectors and to find security related flaws in their web applications.


Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as man in the middle by capturing and analyzing each request to and from the target web application so that they can be analyzed. Penetration testers can pause, manipulate and replay individual HTTP requests in order to analyze potential parameters or injection points. Injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes and error messages.

The next step is to validate the vulnerabilities that have been found for exploitation and weed out false positives. False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don’t have a vulnerability when in fact you do. A false positive is like a false alarm; your house alarm goes off but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when in reality there is not. Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process. This helps them ensure that all of the web application attack surfaces are tested properly in a reasonable amount of time. But many false positives tend to break down this process. If the first 20 variants are false, for example, the penetration tester assumes that all the others are false positives as well and ignores the rest. By doing so, there is a good chance that real web application vulnerabilities will be left undetected.

The last step is to generate a report of penetration testing which should include recommendations. In penetration testing, report writing is a comprehensive task that includes methodology, procedures, proper explanation of report content and design, detailed example of testing report, and tester’s personal experience. Once the report is prepared, it is shared among the senior management staff and technical team of target organisations. If any such kind of need arises in future, this report is used as the reference.

Due to the comprehensive writing work involved, penetration report writing is classified into the following stages :

  • Report planning

  • Information collection

  • Writing the first draft

  • Review and Finalization

  • Report planning starts with the objectives, which help readers to understand the main points of the penetration testing. This part describes why the testing is conducted, what are the benefits of pen testing, etc.

  • Information collection is the complicated and lengthy process, pentester is required to mention every step to make sure that he collected all the information in all the stages of testing. Along with the methods, he also needs to mention about the systems and tools, scanning results, vulnerability assessments, details of his findings, etc.

  • Once, the tester is ready with all tools and information, now he needs to start the first draft. Primarily, he needs to write the first draft in the details – mentioning everything i.e. all activities, processes, and experiences.

  • Once the report is drafted, it has to be reviewed first by the drafter himself and then by his seniors or colleagues who may have assisted him. While reviewing, reviewer is expected to check every detail of the report and find any flaw that needs to be corrected.

 A penetration test is vital for any company or organisation who takes cyber security seriously. As already stated, if a penetration tester manages to compromise your application or network, then a real hacker can too. Penetration tests offer a proactive approach to maintaining high levels of security.