Ready to Start Your Career?
February 22, 2016
A Few Tricks to Manually Pentest a Website (Without Any Tools)
February 22, 2016
Dear Cybrary Readers,First, I'd like to say "Thank you" for your enormous support in following and reading my articles. I'll be happy to continue writing new articles related to IT security.Many people have asked me to concisely explain what happens "under the hood" while a pentester is testing a website. You should know that many things happen, on many levels, over a brief period of time.This article will explain the basics about how things work and how you can pentest a website without any automated tools.Many testers worldwide are researching and using tools for pentesting purposes. That's a good practice if you want to save some time and automate many manual tests. However, you may not know what a tool is actually trying to do, since the developer/s of the tools are the ones with full control over how the test is performed. That's why you have to be careful and choose tools you trust. Before we begin, I'd like to remind you of some facts to keep in mind:
- A website is rendered by web browsers only, which translates the declarative text content from more technologies (HTML, CSS, JS etc.) into an actual visual representation. In short, the web browser parses the text in the web files that explain the functionality and appearance of the website, and it draws the visual representation out of it.
- The server usually keeps all the main logic, data and resources of that website, and usually shares the allowed/needed services to the client. Whenever client connects to the server, they "communicate" in order to resolve the situation of sharing the needed information.
- The data between the server/s and the clients is transmitted via the network technologies and protocols. This means that the quality of the service that server is sharing, directly depends of the network performance, security and availability.