Home > Information Security, Security > Product Penetration Testing – A Generic Framework

Product Penetration Testing – A Generic Framework

This post highlights on the steps for Product Penetration Testing – A Generic Framework.

Unlike my previous post, which is more close to Network Penetration Testing this post is more about Products and their security. Usually QA who tests the products may not have the right expertise in Security Testing of the Products. It should be understood that companies should rightly invest in such teams, so that any security holes would popup at the initial stage instead of waiting till go to market and thus facing last minute hiccups!

Now let’s get into actual stuff. Let’s start with Black box penetration testing.



  • Collect IP Address of the machine over which the product is installed
  • Password credentials of the machine on which the product is deployed (Not product or application credentials, if it’s SSO then different story altogether)
  • Firewall blocking and restrictions should be removed as it is not network penetration testing
  • Application should be deployed in a separate environment which does not affect production

Step1: Information Reconnaissance

  • Review public discussion forums for any leaked information on product
  • Check for the product support forums
  • Gaining information on product through search engines

Step2: Scanning and application fingerprinting

  • Discovering application Services and ports used by the application
  • Discovering User access handing Flaws
  • Discovering Authentication Flaws
  • Discovering Session Management Flaws
  • Discovering Access control Flaws
  • Discovering user input validation flaws
  • Discovering flaws in error handling and Input handling
  • Inference from published contents
  • Application finger printing

Step3: Exploring the Application technology and Protocols uses

  • Exploring  application protocol requests and response for flaws
  • Exploring  application URLS for  flaws and vulnerabilities
  • Exploring cookies used by application
  • Exploring  for Server side and Client side Functionality Flaws
  • Identify entry points for user inputs

Step4: Enumeration and Application Attacks

  • Enumeration of content and functionality of application
  • Enumeration using Webspidering and user-direct spidering
  • Discovering hidden contents
  • Brute force and dictionary attacks
  • Discovering Hidden Parameters
  • Buffer over flow attack
  • Session hijacking and men in the middle attacks
  • Authentication attacks
    • Brute forcible login
    • Verbose Failure Message
    • Using password change and forgotten password functionality
  • Access control attacks

Step5: Injection of Code Attacks

  • Injecting into interpreted languages
  • Injection into SQL
  • Exploiting SQL injection Bugs
  • Bypassing Login
  • Injecting  into different statement types
  • XSS attacks
  • Cross-site scripting attacks
  • Exploiting Path Traversal Flaws
  • Stack and heap overflow attacks
  • Data base attacks


All above steps apply but in this case you’ll have complete access to source code, design and architecture documents, database details, etc

Mainly it’s all about

  • Product Source Code review – Identify security flaws in the java, c/c++, etc programming code
  • Database design – Identify flaws in database design
  • Error handling – Exception and error handling plays a vital role

That’s all for now!

  1. July 5, 2011 at 6:34 PM

    Thanks Karun, this information is very useful.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: