Penetration Testing

Penetration testing (pen testing) is an authorized simulated attack on a system to identify security vulnerabilities that could be exploited by malicious actors.

Pen testing types:

• Black-box: Tester has no knowledge of the system (like a real attacker)
• White-box: Tester has full knowledge (code, architecture, credentials)
• Gray-box: Tester has partial knowledge (like an authenticated user)

Pen testing phases:

1. 1.Reconnaissance: Gather information about the target
2. 2.Scanning: Identify open ports, services, vulnerabilities
3. 3.Exploitation: Attempt to exploit found vulnerabilities
4. 4.Post-exploitation: Determine the impact (data access, privilege escalation)
5. 5.Reporting: Document findings, severity, and remediation

OWASP Top 10 guides most web application pen tests.

Pen testing vs vulnerability scanning:

• Vulnerability scanning is automated — finds known vulnerabilities
• Pen testing is manual — exploits vulnerabilities to prove impact

QA engineers don't typically perform full pen tests, but understanding the basics helps identify common security issues during regular testing.