Generally, the team will start with an initial connection to the website over the Internet. Depending on the scenario, the team may have accounts provisioned for them by the client, which they can use to test the website(s), or they may register accounts themselves.
It is common for this type of testing to be performed against a dedicated copy of the website(s), however, the consultant teams are also experienced in testing against live, production environments.
The team will typically work through the following phases, and depending on their progress, may repeat stages several times to ensure the best possible coverage can be obtained in the time allowed:
- Reconnaissance – Understanding the website, its hosting environment, and any potential points of compromise.
- Scanning – Automated detection of potential vulnerable pages, parameters, and depending on the scope, exposed services on the hosting server.
- Vulnerability Assessment – Identification and exploitation of OWASP Top Ten 2017 vulnerabilities.
- Business Logic Testing – Identification and exploitation of flaws in business logic, for example payment processing systems.
- Username Harvesting – Attempt to gain usernames for existing accounts, particularly those with administrative access.
- Password Guessing – Attempt to gain unauthorised access through guessing of passwords for identified accounts.
- Source Code Analysis – If provided or obtained during testing, the website(s) source code will be assessed for any remotely exploitable vulnerabilities that were not otherwise identified.
- Cleanup – Wherever possible, leaving minimal evidence of the engagement.
- Offline Analysis – Obtaining and analysing any data obtained to understand the potential impact of compromise to the client.
- Reporting – Ensuring that the client gets a full understanding of the findings of the engagement, and recommended solutions to address any issues identified.