Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
Pen test strategies include:
Target Testing - Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.
A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, service and application flaws, improper configurations, or risky end-user behavior.
Penetration testing a black box testing technique in which an authorized attempt is made to violate specific constraints stated in the form of a security or integrity policy of the system, application, network or database. It is a testing technique for discovering and documenting all the security holes that can be found in a system.
Security testing can never prove the absence of security flaws but it can prove their presence.
Penetration Testing Stages:
Syllabus for Penetration Testing Course
Chapter 1 - Web Architectures
Chapter 2 - Web Application Introduction
Chapter 3 - PHP-Basics
Chapter 4 - Sessions & Cookies
Chapter 5 - XSS Attacks
Chapter 6 - Advanced SQLI
Chapter 7 - Cross Site Request Forgery
Chapter 8 - Session Hijacking
Chapter 9 - Web based DDOS Attacks
Chapter 10 - PHP Injection
Chapter 11 - Web Based Worms
Chapter 12 - Flash based Web Attacks
Chapter 13 - I-Frame based Web Attacks
Chapter 14 - Clickjacking
Chapter 15 - Attack frameworks: AttackAPI & BeEF
Chapter 16 - Penetration testing on DVWA
Chapter 17 - Honeytokens
Chapter 18 - OWASP Top 10
Chapter 19 - Metasploit and Web Application
Chapter 20 - PHP Curl
Chapter 21 - Automated Bots
Chapter 22 - Phishing 2.0
Chapter 23 - Brute forcing Web Applications
Chapter 24 - Compliance Methodologies and Legalities