Dear Cybrary Readers,First, I'd like to say "Thank you" for your enormous support in following and reading my articles. I'll be happy to continue writing new articles related to IT security.Many people have asked me to concisely explain what happens "under the hood" while a pentester is testing a website. You should know that many things happen, on many levels, over a brief period of time.This article will explain the basics about how things work and how you can pentest a website without any automated tools.Many testers worldwide are researching and using tools for pentesting purposes. That's a good practice if you want to save some time and automate many manual tests. However, you may not know what a tool is actually trying to do, since the developer/s of the tools are the ones with full control over how the test is performed. That's why you have to be careful and choose tools you trust.
Before we begin, I'd like to remind you of some facts to keep in mind:
- A website is rendered by web browsers only, which translates the declarative text content from more technologies (HTML, CSS, JS etc.) into an actual visual representation. In short, the web browser parses the text in the web files that explain the functionality and appearance of the website, and it draws the visual representation out of it.
- The server usually keeps all the main logic, data and resources of that website, and usually shares the allowed/needed services to the client. Whenever client connects to the server, they "communicate" in order to resolve the situation of sharing the needed information.
- The data between the server/s and the clients is transmitted via the network technologies and protocols. This means that the quality of the service that server is sharing, directly depends of the network performance, security and availability.
Let's begin...- You can manually check if website is available (online) by pinging the hostname or the IP address. The most simple way is to use CMD or Terminal to ping a website. Ping sends a packet to the server, and if it gets a packet back, the server is online.)- You can manually try to find the admin login website. Add /admin, /administration, /administrator at the end of the main url (example: www.example.com/admin), and if it's the default, you will guess it. Then, you can see what type of the website is and research more about it.- You can manually use crawlers to get more links, websites and data related to the website that you are testing. (The web crawler is a bot that tries to visit every link related to the server, and then it indexes the data that was researched).- You can manually write a code script that will provide the test results. Many simple tests are made in Batch scripts (in every OS). Tools do make things easier, but you don't need to install anything for some basic tests. You could also just use the tools from online sources. I prefer to use (http://codebeautify.org/) or (http://tools.seochat.com/category/online-webmaster-tools). I hope that this journey made some things easier to understand. Use your imagination and develop new ways to manually pentest a website. Feel free to support my articles and I wish you great days.