- Mastering Kali Linux for Web Penetration Testing
- Michael McPhee
- 414字
- 2025-02-27 22:38:42
Guidelines for Preparation and Testing
Understanding how target applications are built, as discussed in Chapter 1, Common Web Applications and Architectures, will certainly help us go further than a cursory pen test. All of this understanding can be a double-edged sword. More complex applications can overwhelm the most technically skilled testers. When we're testing, we need to ensure we are covering the entire scope of the requirements. It may be tempting to do this on-the- fly, but if you are anything like me, we're going to need to have a plan. Having a rigorous process and well-understood rules will help us provide consistent, valuable information to our customers. This extra formal treatment will also ensure we get full coverage of the scope that we've agreed upon with our customers.
These plans can exist as either a part of the customer's process or as something that we bring through a contract – we maybe internal employees and contractors or brought in as outside consultants. In the first case, you maybe tasked with testing against your own employer's environment or products. In this case, your orders will likely flow from internal processes or project requirements. Ad hoc testing ordered by management isn't uncommon, but be sure that the scope and processes are formally agreed upon to ensure all parties are protected. In the latter case, you or your employer may be hired by a customer to provide testing. In these cases, the scope, Statement of Work (SOW), and contract, as a whole, will need to be vetted by both parties to ensure that boundaries are preserved.Â
Throughout the entire process, keep in mind why we are there – we're there to help the customers, not to humiliate or show up their staff. Whether your involvement in testing is by invite or mandate, the ethical hacking community should commend organizations that submit to testing, as it maybe our personal data or financial status someday that is at stake. Let's do what we can to make sure we're not tomorrow's victims.
In this chapter, we'll discuss the following:
- Some of the comprehensive testing frameworks that we can draw upon and modify for our own use
- Ethical and legal principles that can guide our conduct
- Guidance on setting up a lab and sanctioned targets to rehearse the testing skills, which we'll be exploring for the duration of this book