Step 1 – (Information Gathering)
The penetration tester of a WAPT provider locates publicly-accessible information related to the client and finds out ways which can be exploited for getting into systems. The tester employs tools like port scanners for completely understanding the software systems in a network. With the use of this information, tester pinpoints different findings’ probable impact on the client.
Step 2- (Planning and Research)
After information collection through several informational tools or manual surfing, next stage demands planning and thorough research. The planning process is initiated by defining penetration testing’s objectives. Goals are then defined jointly by tester and client so that both parties have the same level of understanding and objectives.
Step 3 – (Reconnaissance)
The preliminary information that the tester is capable of the gathering is analyzed. He starts using the current information and might ask for more if he thinks it is essential. Also known as the kind of passive penetration test, this step is for obtaining detailed and comprehensive information about systems.
Step-4 (Vulnerability Detection)
Testers of the right online WAPT provider understands the response of a target app to several intrusion attacks. Static as well as dynamic analysis is used in this situation. The former method is used to check whether the application code is behaving in the exact way it should be while running or not and the latter one involves its inspection in the running condition.
Step 5 (Penetration Testing)
It utilizes web app attacks like cross-site scripting, backdoors, and SQL injection for uncovering a target’s vulnerabilities. Then, the testers try for these vulnerabilities’ exploitation to comprehend the destruction that they can cause.
Step 6 (Report and Analysis):
The test’s result is consolidated and compiled into the report that briefs the sensitive data accessed and particular vulnerabilities exploited etc. This report is analyzed by security personnel to create strong safety solutions.
Step 7 (Re-Testing)
After patching and fixation of the vulnerabilities by their web administrator or the concerned person who is responsible in this aspect. We do the re-scan for the vulnerabilities and if we found further any vulnerability then we will follow the same process from step 1 to step 6. If no vulnerability were found we issue the VAPT certificate to the client.
BLACK BOX testing
- In black-box testing, penetration testers are not given any specific scope by the organization and are not accompanied by any internal member from the organization.
- In this type of testing NIC-Security penetration testers act as real-time black hat hackers and tries to penetrate the organizations’ website infrastructure using all possiblity means.
- Pricing for Black box testing normally depends on the scope of the project and also the features of the project. It normally is high priced as time spends on penetrating on the application is more as compared to the white box testing.
WHITE BOX testing
- white-box testing the enterprise/organization defines the entire scope of work including the number of websites and also their IPs. NIC-Security penetration testers will only focus on the Website defined in the scope.
- Penetration Tester or any representative from the organization will be associating the penetration tester in the organization. In white-box testing, the entire VAPT process will be monitored by the representative from the organization.
Pricing for White box testing is normally INR 5000/- per website