Abstract
This chapter focuses on the vulnerability verification step in penetration testing, which is the next step after Vulnerability Identification phase. One of the bigger problems in understanding the state of security within a system or a network is finding out which vulnerabilities are real and which ones are false positives. The step removes any doubt on vulnerabilities. There are four steps within the Information System Security Assessment Framework (ISSAF) methodology in this phase include: finding proof of concept code/tool; testing proof of concept code/tool; writing proof of concept code/tool; and using proof of concept code/tool against target. The “test proof of concept code/tool” step refers to testing the exploit against a test server first, before it is used against the PenTest target. Identifying vulnerabilities help system administrators improve the security of their system by understanding the current risk environment in information security—verification of vulnerabilities shows how bad things can get if there are available exploits. During a penetration test, testers can create their own exploits. In external penetration tests, often the only application available is a Web server, because firewalls are configured to restrict any other communication. Web attacks are very productive attack vectors when successful; a lot of data is available beyond simple login data.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call