Initiating a penetration test

An application penetration test is always said to be incomplete if it does not do the following:

• Following the standard methodology of performing recon
• Enumerating functionality
• Testing individual parameters
• Creating test cases
• Performing non-invasive exploitation
• Providing a report that talks about the issue
• Implementing steps to reproduce, proof of concept code, and possible mitigation

During my career, on numerous occasions, I have come across security consulting companies or independent professionals that are known to run an automated scanner that detects only a handful of vulnerabilities and almost always does not discover logical issues. These vulnerabilities are then exploited with a half-baked exploit that does very little in terms of explaining the business impact and criticality of the findings to the end client.

Scanning for vulnerabilities using an automated scanner is the most common approach taken when it comes to detecting vulnerabilities quickly. This can result in both actionable and complete results or in-actionable and incomplete findings. This very heavily depends on what information was fed to the scanner in the first place.

Using an automated scanner isn't bad. In fact, using a scanner can ensure completeness in a lot of cases. However, the methodology of using a scanner without performing sufficient recon, assigning, and creating target maps can result in the tool being used incorrectly and producing incomplete results.

A tool is only as good as the information it receives before beginning execution. Therefore, scoping your pentest is very important.