Dive Into Pentesting

Penetration testing is a proactive security practice that helps organisations uncover weaknesses in their systems, applications, and networks before attackers can exploit them. The value of a penetration test continues to increase as modern environments become more complex. Testers that understand the fundamentals of penetration testing can produce meaningful results and effectively communicate risk to stakeholders.

This room introduces the core concepts that every aspiring penetration tester should be familiar with. It covers what penetration testing is and how it differs from malicious hacking, the areas of focus during a penetration test, and the relationship between vulnerability, threat, and risk. It also explores why vulnerabilities exist in the first place, the mindset and habits that shape effective testers, and the ethical principles that strengthens client relationships.

Learning Objectives

• Distinguish between penetration testing and malicious hacking based on authorisation, scope, coverage, and responsibility.
• Describe the core focus areas of web application and network penetration testing.
• Define vulnerability, threat, and risk, and apply the Vulnerability x Threat = Risk relationship to evaluate real-world scenarios.
• Outline the four stages of the risk management cycle, and recognise when risks are mitigated, accepted, or transferred.
• Identify the common reasons why vulnerabilities exist, including human assumptions, software bugs, system complexity, over customisation, and technical or design flaws.
• Apply the mindset and habits of an effective penetration tester, such as attention to detail, contextual thinking, and avoiding tool over-reliance or tunnel vision.
• Follow best practices during an engagement, including maintaining good notes, collecting evidence, managing time, communicating proactively, and staying professional.
• Uphold the principles of ethics, permission, and trust throughout an engagement to protect both the organisation and the tester.

Prerequisites

This room requires knowledge of offensive security concepts. If you haven't done so, complete the following module before continuing:

• Introduction to Offensive Security

What Is Penetration Testing?

Penetration testing, or "pentesting", is an authorised security assessment that is performed on systems, applications, or networks. It is carried out with explicit permission from the system owner within agreed boundaries.

Penetration testing is important because modern systems are complex and constantly changing. These factors make it difficult for organisations to identify all weaknesses through design and development alone. Well-built systems can also contain weaknesses that could expose them to attacks. A penetration test fills this gap and helps organisations understand how these weaknesses could be abused, which allows them to prioritise fixes and reduce risk before the weaknesses can be exploited by attackers.

Penetration testing is an essential security service for many reasons. It ensures that organisations can prioritise remediation efforts based on the level of risk associated with the weaknesses. It helps protect the confidentiality of sensitive customer data such as payment information or personally identifiable information (PII), which ensures compliance with many regulatory frameworks and industry standards such as Payment Card Industry Data Security Standard (PCI-DSS (opens in new tab)) and General Data Protection Regulation (GDPR (opens in new tab)). Real-world attack scenarios and assessment of the overall security posture of an organisation ensures that security controls are effective. This process provides assurance to the leadership, stakeholders, and customers that weaknesses are being addressed proactively.

Penetration Testing vs Malicious Hacking

While penetration testers and malicious attackers may use similar tools, the way they operate is totally different. The core factors in the table below separate penetration testing from malicious hacking:

In a penetration test, coverage is critical in order to fully assess the overall security posture of an organisation. To achieve meaningful coverage, it is important to understand the different areas that a penetration tester looks at. This task will cover areas that are assessed when performing web application and network penetration testing.

Web Application Penetration Testing

Web application penetration testing focuses on finding gaps and weaknesses in a web application. Testing is commonly performed from a user perspective by interacting with the application's user interface and its APIs. The goal is to assess how the application handles user input, authentication, authorisation, sessions, and data processing. Weaknesses in web applications can have great impact on its users because web applications are usually exposed to the internet.

The diagram above outlines a simple interaction between a penetration tester and a web application and its components. In a web application penetration test, the application is tested for weaknesses in different areas such as authentication, authorisation, session management, input and output validation, and security configuration.

• Authentication: This area is evaluated for weaknesses in the application's credential handling, password policy, account lockout mechanisms, multi-factor authentication (MFA) implementation, protection against automated attacks such as brute-force and credential stuffing, password-reset flow and overall authentication-related logics.
• Authorisation: This area is evaluated for weaknesses in the application's access control mechanism, ensuring users can only access resources and perform actions permitted by their role, and protection against vertical and horizontal privilege escalation attacks.
• Session management: This area is evaluated for weaknesses in how sessions are created, maintained, and invalidated. This includes session fixation risks, session invalidation after logout, idle timeout enforcement, secure cookie attributes, and protection against cross-site request forgery (CSRF).
• Input and output validation: This area is evaluated for weaknesses in the application's data handling controls, including protection against injection attacks, data type validation, and output handling.
• Security configuration: This area is evaluated for gaps in the server and application configurations, including security headers, error handling behaviour, rate-limiting controls, cryptographic configuration, and exposure of unnecessary services or features.

Network Penetration Testing

Network penetration testing focuses on finding vulnerabilities in the underlying infrastructure that connects systems together. Testing could be performed from an external or an internal user perspective.

External network penetration testing is performed from an external user perspective with little to no access to information about the externally exposed systems. This type of assessment focuses on external-facing infrastructure such as internet-facing servers, firewalls, VPN gateways, and remote access services. The goal is to evaluate how these systems are exposed and assess the security controls that protect these systems against unauthorised users.

Internal network penetration testing, on the other hand, is an "assumed breach" scenario where a threat actor already has access to a system in the network. This type of assessment evaluates what an attacker could do next, such as moving between systems, escalating privileges, or accessing sensitive data. The goal is to assess trust relationships, access controls, and network segmentation to identify weak configurations and determine whether the security controls can limit the impact of a compromise.

The diagram above shows a simple interaction between a penetration tester and a network, both from an external and internal perspective.

• Authentication mechanisms: This area is evaluated for weaknesses in network-level authentication controls such as password policy, multi-factor authentication (MFA) enforcement, credential reuse, use of default credentials, and protection against attacks on services such as admin portals, VPN, SSH, or RDP.
• Authorisation and access controls: This area is evaluated for weaknesses in network access control mechanisms, ensuring users and systems can only access resources permitted by their role or trust level.
• Network segmentation and trust relationships: This area is evaluated for weaknesses in user and system trust relationships, firewall rules, and isolation controls.
• Configuration and patch management: This area is evaluated for gaps in device configurations and services, such as use of outdated software, insecure default configuration, and weak encryption protocols.

Ultimately, modern web applications and networks are built with different interconnected components and systems. Identifying the attack surface helps organisations find all entry points that could contain weaknesses and provide unauthorised access to threat actors. Additionally, it helps in defining the scope of a penetration test prior to the engagement execution.

Vulnerability, threat, and risk are core concepts in cyber security that are commonly used together. They allow organisations to assess and manage their security concerns in a structured way. As a penetration tester, understanding the relationship between these concepts will enable you to clearly communicate findings and their significance to stakeholders.

Vulnerability

A vulnerability is a weakness or gap in an organisation's environment that could be exploited to compromise the security of systems, data, or operations. While it does not cause harm on its own, it presents an opportunity for exploitation.

Vulnerabilities come in many types. For simplicity, we will focus on technical vulnerabilities, which are weaknesses in software, systems, or configurations that can be exploited due to coding errors, insecure settings, or flawed system design.

For example, a web server running outdated software with known flaws is a vulnerability. The weakness exists, but nothing happens unless it is taken advantage of.

 

Threat

A threat is anything that can exploit a vulnerability and cause harm to an organisation's environment. It represents a source of danger that can take advantage of a weakness to compromise the confidentiality, integrity, and availability of the organisation's systems.

Threats may include malicious actors such as cybercriminals, insider threats, or tools that are used to perform automated attacks. They may also be non-malicious events like system failures, human error, or environmental incidents.

For example, an attacker scanning the internet for outdated servers is a threat. They have the capability and intent to exploit the vulnerability.

More recently, attackers have been utilising artificial intelligence (AI) in order to automate attacks, discover weaknesses at scale, and accelerate exploitation. This makes AI a significant threat in modern security environments due to its capacity to increase the speed and sophistication of attacks.

 

Risk

Risk is the potential damage that could occur if a threat successfully exploits a vulnerability. We can determine the overall risk of a vulnerability by combining the impact and likelihood of exploitation. In some cases, a vulnerability that may look harmless could cause significant risk if it affects critical systems. In contrast, a vulnerability that may look harmful could only cause minimal risk if it exists in an isolated environment.

The following formula is commonly used to simplify the calculation of overall risk: Vulnerability * Threat = Risk.

This formula is a simplified model intended to illustrate the relationship between the contributing factors, rather than a formal risk calculation. A vulnerability on its own does not pose a risk if there is no threat that can leverage it. Likewise, a threat cannot cause impact if there is no vulnerability to exploit. 

Below are practical examples of how risk is calculated.

Low Risk

Imagine a web application displays detailed error messages when invalid input is submitted.

• Vulnerability: Verbose error messages revealing internal file paths
• Threat: Attackers triggering errors to gather system information
• Risk: Limited information disclosure that may help reconnaissance but does not directly compromise the system

High Risk

Imagine a web application that allows users to change an account ID parameter in a request and access other users’ data.

• Vulnerability: Broken access control allowing unauthorised access to user data
• Threat: Attackers modifying request parameters to retrieve or alter other sensitive user information
• Risk: Exposure or manipulation of sensitive customer data, leading to data privacy violations and regulatory consequences

Risk Management

Risk management is a structured process that many organisations use to identify, evaluate, and control security risks over time. Effective risk management means understanding which risks matter most and applying appropriate controls to eliminate or reduce their impact or likelihood of exploitation.

Risk management is typically an ongoing cycle consisting of four stages:

• Identification: Identifying assets, vulnerabilities, and potential threats that could affect the organisation.
• Analysis: Evaluating risks to determine the potential impact and likelihood of exploitation, which translates to the severity of each risk and helps plan remediation efforts.
• Mitigation: Reducing or controlling identified risks. This may include applying security patches, strengthening access controls, improving configurations, implementing monitoring tools, or redesigning insecure processes.
• Monitoring: Continuous monitoring of risks to ensure that controls remain effective, new vulnerabilities are detected, and emerging threats are addressed promptly.

In some cases, organisations may choose to accept or transfer risk if mitigation is not practical or cost-effective. Accepting a risk is usually chosen if the impact is minimal and the cost of reducing the risk outweighs the benefit. Transferring risk means shifting the responsibility to a third party, such as purchasing an insurance policy that would cover the cost that comes with the risk.

An example where a company would accept the risk is if they discover that their internal web application displays the server version in the server header. The company decides to accept the risk because the version is up to date, the web application is only exposed internally, and it does not contain sensitive data. However, mitigating the risk is costly and requires time and resources.

In contrast, an example where a company would transfer the risk is if they operate an online platform that stores personal and payment information of their customers. The company decides to transfer the risk by purchasing a cyber insurance policy to cover the financial cost if a data breach occurs, because even though security controls are in place and effective, the risk cannot be fully removed.

Vulnerabilities can occur through flaws, features, or human error, which can result in compromise of data and resources, and attackers can exploit one or more to achieve their goal. In this task, we will cover some of the most common reasons why vulnerabilities exist.

Human Assumptions

Developers who are not security-aware often assume that users will use systems as intended. Attackers intentionally challenge this assumption by using systems in unintended ways to expose weaknesses.

For instance, a developer who assumes that users will only upload image files as their profile picture. The lack of file validation controls allows an attacker to upload a malicious script, which is then executed by the server.

Software Bugs

Programming errors can introduce unintended behaviour that could pose a security risk, which may arise from logic mistakes and incomplete validation. A poorly written code may work as designed, but could be flawed if not securely coded.

For instance, a web application fails to properly validate input when processing form data that interacts with a database. An attacker submits a specially crafted input that alters the SQL query, enabling them to gain unauthorised access to sensitive data.

System Complexity

Modern environments consist of many interconnected components such as APIs, microservices, databases, and third-party integrations. The likelihood of a misconfiguration occurring in these complex environments is higher, which could lead to an exploitable vulnerability.

For instance, a company with multiple services integrated into their web application, like an authentication provider or third-party payment processor, might overlook a misconfiguration that exposes administrative APIs. Due to the complexity of interactions between these components, this misconfiguration allows an attacker to access critical administrative APIs that were not meant to be exposed.

Over Customisation

Extensive customisation of software or workflows can introduce inconsistencies and unintended security gaps. Custom features may not follow standard security practices, and heavily modified systems can be difficult to maintain, update, or patch properly.

For instance, an organisation that develops a custom authentication feature instead of using a standard login framework may implement their own password storage, session handling, and account recovery logic in order to meet their internal requirements. However, these can be difficult to maintain over time. Customisations can become outdated and lead to insecure practices like weak hashing algorithms or inconsistent session timeouts.

Technical and Design Flaws

Technical and design flaws could occur when security is not built into the design from the beginning. The source of these flaws may not be intentional, but can pose a huge risk in an organisation's security.

For instance, implementing multi-factor authentication in an existing web application. Developers might implement the feature, but overlook the existing design where a fully authenticated session cookie is issued before the MFA process is completed. This oversight allows an attacker to navigate to authenticated pages without completing the MFA process.

Common Causes and Resulting Vulnerabilities

The table below maps each common cause to a resulting vulnerability that an attacker could exploit.

Technical skills alone are not enough to define the proficiency of a penetration tester. While understanding how vulnerabilities can be exploited is important, knowing how to effectively execute penetration tests is equally valuable. This task covers some of the behaviours and habits that can help penetration testers produce meaningful results.

Good vs Bad Mindset During a Penetration Test

In order to produce meaningful results from a penetration test, it is critical to have a methodical and structured approach. In addition, the ability to adapt to changing environments is essential for maintaining quality throughout different assessments. Having a strong foundation and process not only helps achieve comprehensive coverage but also ensures that overall risk is properly assessed.

A good mindset when performing penetration tests includes several qualities. The following examples highlight characteristics that expand on these qualities:

• Understanding the system: In most cases, systems behave differently from one another. Having a strong understanding of how the target operates will help testers plan ahead and gain the context to explore potential exploitation opportunities.
• Attention to detail: Observing how the application behaves and noticing small differences in certain scenarios often results in impactful findings.
• Constant curiosity: Constantly asking "What if?" type of questions helps uncover many ideas that can be explored and open further opportunities to identify weaknesses.
• Prioritising critical areas: Focusing on high-impact functions before lower-risk features ensures that effort is directed towards areas where security issues would cause greater business impact.
• Thinking in context: Understanding how a feature is used and what data it handles helps assess risk more accurately and allows findings to be evaluated based on real-world consequences rather than technical severity alone.
• Creative thinking: Hardened systems usually create an assumption that weaknesses may not exist. Approaching these systems with creativity allows a tester to identify weaknesses that could otherwise be overlooked. This approach may involve linking two vulnerabilities in order to achieve greater impact.

A poor mindset when performing penetration tests can reduce the quality of an assessment and lead to missed or inaccurate findings. The following examples highlight characteristics that could result in unreliable testing:

• Rushing to exploitation: Attacking a system without understanding how it works often leads to overlooked weaknesses. Additionally, this approach can increase the risk of disrupting systems, which could lead to limitations in testing.
• Ignoring context: Focusing only on technical success without considering business impact could result in findings that are lacking real-world relevance.
• Over-reliance on tools: Depending too much on automated tools without proper analysis may produce false positives or miss logic-based issues that require manual testing.
• Making assumptions: Assuming how a system or functionality works without verification may cause testers to overlook important behaviours.
• Tunnel vision: It is easy to become fixated on one functionality, especially if a tester thinks that it will lead to a critical finding. This behaviour typically leads to time wasted, which can reduce coverage and prevent exploration of other areas that may contain more significant weaknesses.
• Blindly following a checklist: While having a comprehensive checklist is useful in ensuring full coverage, depending on it too much could reduce a tester's ability to think creatively and lead to missed opportunities for more significant findings. Additionally, it could create an assumption that testing is finished once the checklist is completed.

The table below summarises the contrast between effective and ineffective mindsets during a penetration test.

Common Best Practices During a Penetration Test

Applying best practices throughout a penetration test helps maintain consistency and improve the overall quality of the engagement. The following examples highlight common habits that strengthen the testing process and the value of the final results:

Maintaining Good Notes

Keeping detailed notes throughout a penetration test helps a tester track their activity, findings, and observations as the assessment progresses. Good notes make it easier to reproduce issues later if required, and ensure that nothing important is forgotten.

For instance, if a vulnerability is discovered early in the assessment, having detailed notes allows the tester to revisit it later without repeating the entire process.

Collecting Evidence

Similar to maintaining good notes, collecting evidence such as screenshots, tool output, or logs supports the validity of findings and provides clear proof of impact. Collecting evidence while testing helps save time by avoiding unnecessary reproduction of issues during reporting, which could take a considerable amount of time.

Managing Time

Penetration tests are performed within fixed timelines. Managing time effectively allows a tester to balance effort across different areas and ensure that sufficient time is spent on critical functions and reporting. Instead of spending hours on a low-impact feature, it is better to prioritise authentication or access control functionalities where security failures would have a greater impact.

Additionally, working on the report as you go is a good habit that significantly helps in managing time effectively. Oftentimes, reporting effort is included in the timeline and ensuring that it is performed within the timeline is crucial in preventing burnout and ensuring that deliverables are submitted in a timely manner. One scenario where reporting as you go becomes useful is when a critical risk finding is discovered towards the end of an engagement. Documenting new findings alongside existing ones and collecting evidence can be time consuming. This could create unnecessary pressure, especially when the engagement is about to conclude.

Proactive Communication

Maintaining proactive communication during a penetration test helps keep the engagement on track by providing regular progress updates and highlighting blockers early. Communicating roadblocks allows issues to be addressed as soon as possible. While no engagement is perfect, proactive communication ensures that effort can be redirected when needed, support can be provided, and the overall impact on coverage can be reduced.

Staying Professional

Professional behaviour throughout the penetration testing lifecycle builds trust between the tester and the organisation that is being assessed. Respecting scope boundaries, handling sensitive data responsibly, and conducting testing in a controlled manner are some of the essential habits that maintain professionalism.

Professionalism also applies when it comes to communicating a finding to stakeholders. Explaining a finding's business impact rather than just the technical details helps stakeholders understand its significance. It also reinforces the tester's credibility and reliability.

Ethics, permission, and trust are three principles that must be taken into account in order to ensure that assessments are conducted professionally. Because penetration testing often requires access to sensitive systems and data, enforcing these principles is essential in protecting organisational assets and minimising risk throughout the assessment. Following these principles ensures that activities are aligned with the organisation's goals.

Ethics

Ethics in penetration testing is demonstrated by responsibly assessing systems that may contain sensitive data or critical functionalities. Ethical behaviour helps a penetration tester make responsible decisions throughout an assessment, ensuring that actions are intentional and justified. Examples of how ethical behaviour is enforced in practice during a penetration test are:

• Respecting the defined scope and avoiding activities outside authorised boundaries
• Avoiding actions that could disrupt systems and services
• Handling sensitive data responsibly and only accessing data that is required to demonstrate impact
• Stopping and reporting unexpected access to highly sensitive or out-of-scope systems
• Redacting sensitive data in reports to prevent unintended disclosure

Permission

Permission in penetration testing is established through formal authorisation and a clearly defined scope before executing an engagement. Obtaining proper authorisation ensures that all activities are approved by the organisation being assessed and align with their expectations and goals. The following examples illustrate how permission is respected in practice during a penetration test:

• Obtaining written authorisation before initiating any testing activities
• Defining a clear scope and adhering to the agreed-upon scope of testing
• Confirming testing windows and approved methods before conducting potentially disruptive actions
• Seeking clarification when uncertainty exists about whether a system or action is in scope
• Pausing and notifying the organisation if activities may exceed authorised boundaries

Trust

Organisations may initially be cautious when allowing external testers to assess their systems. However, many organisations rely on independent assessments by external parties to properly evaluate and improve their security posture. Therefore, establishing trust from the very beginning is valuable. The examples below illustrate how trust can be built and maintained during a penetration test:

• Providing status updates periodically to reassure stakeholders that testing is progressing as planned
• Being transparent about limitations, blockers, and uncertainties during testing in order to receive proper assistance
• Reporting findings accurately and clearly demonstrating business impact
• Providing actionable recommendations that help eliminate or mitigate risks
• Addressing organisational concerns promptly and adapting communication style to technical and non-technical stakeholders

Ethics, permission, and trust are principles that allow penetration testing to exist as a professional security practice. These principles ensure that testing is performed professionally and thoroughly, while also protecting both the tester and the systems being assessed. By consistently applying these principles throughout an engagement, penetration testers help preserve the credibility of penetration testing as a trusted, reliable, and professional security practice.

In this room, we have explored penetration testing as a professional discipline that focuses on understanding systems, assessing risk, and thinking critically rather than simply exploiting vulnerabilities. Effective testing requires the context of the system that is being tested to provide meaningful results. Discovered weaknesses can only become significant when the business impact is clearly demonstrated.

We have also covered habits that contribute to effective testing, alongside behaviours that can reduce the quality of an assessment. With the correct mindset, ethical behaviour, and professional conduct, engagements can produce valuable outcomes and build trust between testers and organisations.

Carry the knowledge from this room forward as you progress towards becoming a responsible penetration tester. The technical techniques that you will learn next will become far more effective when supported by the principles and approaches that were introduced in this room.

Practical Assessment

Click the View Site button below to start an engaging activity. This activity has been prepared for you to check your understanding of the topics in this room. Your task is to help a tester determine the best decision that they can make to maintain professionalism during an assessment. Upon completion of the task, paste the presented flag as the answer to the question below.