What Is Penetration Testing?

Penetration testing (pentesting) is a simulated cyber attack against a system to evaluate its security. Unlike vulnerability scanning, which uses automated tools to identify potential weaknesses, pentesting involves a human tester actively trying to exploit vulnerabilities to prove they are real and assess their impact.

Think of it this way: a vulnerability scanner is like an inspector who notes that a window lock looks weak. A penetration tester actually tries to open the window and climb in, then documents exactly what they were able to access once inside.

Pentesting vs Vulnerability Scanning

AspectVulnerability ScanningPenetration Testing
ApproachAutomated tool scanManual human testing
DepthIdentifies potential issuesProves exploitability
FrequencyContinuous (CI/CD)Periodic (quarterly/annually)
SkillsLow (run tools)High (security expertise)
False positivesCommonRare (manually verified)
Business logicCannot testCan test
Chained attacksCannot detectExcels at finding
CostLowMedium to high
TimeMinutes to hoursDays to weeks

Both are needed. Vulnerability scanning catches known issues quickly and cheaply. Pentesting finds complex, chained vulnerabilities and business logic flaws that automated tools miss.

Penetration Testing Types

By Knowledge Level

  • Black-box: Tester has no prior knowledge of the system. Simulates an external attacker.
  • Grey-box: Tester has partial knowledge (user credentials, API documentation). Simulates an authenticated attacker.
  • White-box: Tester has full knowledge (source code, architecture, admin credentials). Most thorough but least realistic.

By Target

  • Network pentesting: Firewalls, routers, servers, network services
  • Web application pentesting: Web apps, APIs, authentication systems
  • Mobile application pentesting: iOS and Android apps
  • Social engineering: Phishing, pretexting, physical access
  • Wireless pentesting: Wi-Fi networks, Bluetooth
  • Cloud pentesting: Cloud configurations, IAM policies, storage

The Five Phases of Pentesting

Phase 1: Reconnaissance (Information Gathering)

Collect as much information about the target as possible before any active testing.

Passive reconnaissance (no direct interaction with target):

  • WHOIS lookups for domain ownership
  • DNS enumeration (subdomains, mail servers)
  • Google dorking (site-specific searches)
  • Social media and job postings (technology stack clues)
  • Public code repositories (leaked credentials, API keys)
  • Certificate transparency logs

Active reconnaissance (direct interaction with target):

  • Port scanning with Nmap
  • Service version detection
  • Web spidering/crawling
  • Technology fingerprinting (Wappalyzer)

Phase 2: Scanning and Enumeration

Actively probe the target to identify vulnerabilities.

  • Port scanning: Identify open ports and running services
  • Vulnerability scanning: Run OWASP ZAP or Nessus against the target
  • Web application scanning: Map all endpoints, forms, and parameters
  • Authentication testing: Test login mechanisms for weaknesses

Phase 3: Exploitation

Attempt to exploit discovered vulnerabilities to gain access or extract data.

  • Try injection attacks (SQL, XSS, command injection)
  • Attempt access control bypass
  • Test for privilege escalation
  • Exploit misconfigurations
  • Chain multiple low-severity issues into a high-severity attack

Phase 4: Post-Exploitation

After gaining access, determine the real-world impact.

  • What sensitive data can be accessed?
  • Can you escalate privileges further?
  • Can you pivot to other systems?
  • Can you maintain persistent access?
  • What is the blast radius of this vulnerability?

Phase 5: Reporting

Document findings in a clear, actionable report.

A good pentest report includes:

  • Executive summary: Non-technical overview for management
  • Methodology: What was tested and how
  • Findings: Each vulnerability with severity, proof of exploitation, and impact
  • Recommendations: Specific, prioritized remediation steps
  • Appendices: Technical details, tool outputs, screenshots

Essential Pentesting Tools

OWASP ZAP (Zed Attack Proxy)

Free, open-source web application scanner. Best for QA engineers starting with security testing.

Key features:

  • Automated scan: Spider the site and scan for vulnerabilities
  • Manual testing: Intercept and modify requests (proxy)
  • Passive scanning: Detect issues while you browse normally
  • API scanning: Import OpenAPI/Swagger specs and scan APIs
  • CI/CD integration: Run scans in pipelines with the ZAP Docker image

Basic usage:

  1. Download ZAP from zaproxy.org
  2. Enter the target URL
  3. Click “Automated Scan”
  4. Review alerts by risk level (High, Medium, Low, Informational)

Burp Suite

The industry-standard web security testing tool. Community Edition is free; Professional is paid.

Key features:

  • Proxy: Intercept all browser traffic
  • Repeater: Replay and modify individual requests
  • Intruder: Automated parameter fuzzing
  • Scanner: (Professional only) Vulnerability scanning
  • Decoder: Encode/decode data (Base64, URL encoding, etc.)

Nmap

Network scanning tool for discovering hosts, open ports, and running services.

# Basic scan
nmap -sV target.com

# Scan common ports
nmap --top-ports 1000 target.com

# Scan with vulnerability scripts
nmap --script vuln target.com

Always get written authorization before pentesting. Unauthorized testing is illegal in most jurisdictions, even if your intentions are good.

Required before testing:

  • Written scope document defining what can be tested
  • Written authorization from the system owner
  • Rules of engagement (testing hours, off-limits systems, escalation procedures)
  • Emergency contacts if something breaks

Never test:

  • Systems you do not own or have explicit permission to test
  • Production systems without careful coordination
  • Third-party services without their explicit consent
  • In ways that could cause data loss or service disruption

When QA Should Pentest vs Hire Specialists

QA Team Can HandleHire External Pentesters
OWASP ZAP automated scansCompliance requirements (PCI-DSS, SOC 2)
Basic injection testingNetwork and infrastructure pentesting
Access control verificationAdvanced exploitation techniques
Security header checksReverse engineering (mobile, desktop)
Authentication testingSocial engineering assessments
API security validationRed team exercises

Exercise: Basic Security Scan with OWASP ZAP

Perform a basic security scan of a deliberately vulnerable application using OWASP ZAP.

Setup

  1. Install OWASP ZAP from zaproxy.org or use Docker:
docker run -u zap -p 8080:8080 -p 8090:8090 -i zaproxy/zap-stable zap-webswing.sh
  1. Start OWASP Juice Shop:
docker run --rm -p 3000:3000 bkimminich/juice-shop

Task

  1. Configure ZAP to proxy your browser traffic
  2. Run an automated spider on http://localhost:3000
  3. Run an active scan on the discovered URLs
  4. Review and categorize all High and Medium alerts
  5. For the top 3 findings, document: the vulnerability, OWASP category, impact, and recommendation
Hint: ZAP Configuration
  • Set ZAP as your browser proxy (localhost:8080)
  • For the spider, set maximum depth to 5 and use both traditional and AJAX spider
  • During the active scan, watch for High-confidence alerts first
  • Check the “Alerts” tab for categorized findings
Solution: ZAP Scan Results Analysis

Typical High/Medium findings from scanning Juice Shop:

#AlertRiskOWASPConfidence
1SQL InjectionHighA03High
2Cross-Site Scripting (Reflected)HighA03Medium
3Missing Anti-CSRF TokensMediumA05Medium
4X-Frame-Options Header Not SetMediumA05Medium
5Content Security Policy Not SetMediumA05High
6Cookie Without Secure FlagMediumA02High

Top 3 Detailed Findings:

1. SQL Injection (High)

  • URL: http://localhost:3000/rest/products/search?q=
  • OWASP: A03:2021 Injection
  • Impact: Attacker can extract entire database contents, modify data, or execute OS commands
  • Recommendation: Use parameterized queries for all database operations

2. Reflected XSS (High)

  • URL: http://localhost:3000/#/search?q=<script>alert(1)</script>
  • OWASP: A03:2021 Injection
  • Impact: Attacker can execute JavaScript in victim’s browser, steal session tokens
  • Recommendation: Implement input validation and output encoding

3. Missing CSP Header (Medium)

  • URL: All pages
  • OWASP: A05:2021 Security Misconfiguration
  • Impact: Without CSP, XSS attacks are harder to mitigate
  • Recommendation: Add Content-Security-Policy header restricting script sources

Pro Tips

  • Start with ZAP, Graduate to Burp: OWASP ZAP is free and excellent for QA engineers. Once you are comfortable, Burp Suite Professional offers more advanced features for deeper testing.
  • Combine Automated and Manual: Run ZAP automated scans first, then manually test the high-risk areas (authentication, authorization, business logic) that scanners miss.
  • Learn the OWASP Testing Guide: The WSTG provides a checklist of 90+ specific tests organized by category. Use it as your pentesting playbook.
  • Practice on Vulnerable Apps: Besides Juice Shop, try DVWA, WebGoat, HackTheBox, and TryHackMe for hands-on practice at different skill levels.
  • Document Everything: During pentesting, record every step — timestamps, requests, responses, screenshots. This documentation is essential for the report and for reproducing findings.