Empty input
Last updated 2017-08-10

Penetration testing

Learn about web security penetration testing

Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities.


A wide variety of Security assessment tools are available to assist with penetration testing, including free-of-charge, Free software, and Commercial software.

Specialized OS distributions

Several operating system distributions are geared towards penetration testing.Such distributions typically contain a pre-packaged and pre-configured set of tools. The penetration tester does not have to hunt down each individual tool, which might increase the risk complications—such as compile errors, dependencies issues, configuration errors. Also, acquiring additional tools may not be practical in the tester's context.

Popular penetration testing OS examples include:

  • Kali Linux (which replaced BackTrack in December 2012) based on Debian Linux
  • Parrot Security OS based on Debian and made by Frozenbox network*
  • BackBox based on Ubuntu
  • Pentoo based on Gentoo Linux
  • WHAX based on Slackware Linux

Many other specialized operating systems facilitate penetration testing—each more or less dedicated to a specific field of penetration testing.

A number of Linux distributions include known OS and Application vulnerabilities, and can be deployed as targets. Such systems help new security professionals try the latest security tools in a lab environment. Examples include Damn Vulnerable Linux(DVL), the OWASP Web Testing Environment (WTW), and Metasploitable.

Software frameworks

  • Metasploit Project
  • nmap
  • w3af
  • Burp suite

Automated testing tools

The process of penetration testing may be simplified as two parts:

  1. Discover vulnerabilities—combinations of legal operations that let the tester execute an illegal operation
  2. Exploit the vulnerabilities—Specify the illegal operation

Once the attacker has exploited one vulnerability they may gain access to other machines so the process repeats i.e. look for new vulnerabilities and attempt to exploit them. This process is referred to as pivoting.


Legal operations that let the tester execute an illegal operation include unescaped SQL commands, unchanged salts in source-visible projects, human relationships, and old hash or crypto functions. A single flaw may not be enough to enable a critically serious exploit. Leveraging multiple known flaws and shaping the payload in a way that appears as a valid operation is almost always required. Metasploit provides a ruby library for common tasks, and maintains a database of known exploits.

Under budget and time constraints, fuzzing is a common technique that discovers vulnerabilities. It aims to get an un-handled error through random input. The tester uses random input to access less often used code paths. Well-trodden code paths are usually free of errors. Errors are useful because they either expose more information, such as HTTP server crashes with full info trace-backs—or are directly usable, such as buffer overflows.

Imagine a website has 100 text input boxes. A few are vulnerable to SQL injections on certain strings. Submitting random strings to those boxes for a while hopefully hits the bugged code path. The error shows itself as a broken HTML page half rendered because of an SQL error. In this case, only text boxes are treated as input streams. However, software systems have many possible input streams, such as cookie and session data, the uploaded file stream, RPC channels, or memory. Errors can happen in any of these input streams. The test goal is to first get an un-handled error, and then understand the flaw based on the failed test case. Testers write an automated tool to test their understanding of the flaw until it is correct. After that, it may become obvious how to package the payload so that the target system triggers its execution. If this is not viable, one can hope that another error produced by the fuzzer yields more fruit. The use of a fuzzer saves time by not checking adequate code paths where exploits are unlikely.


The illegal operation, or payload in Metasploit terminology, can include functions for logging keystrokes, taking screenshots, installing adware, stealing credentials, or altering data. Some companies maintain large databases of known exploits and provide products that automatically test target systems for vulnerabilities:

  • Metasploit
  • Nessus
  • Nmap
  • OpenVAS
  • W3af

 Learn more on