The Actual PENTEST methology


#1

**Can someone explain the actual scope meaning **

for example may companies state out of scope NO AUTOMATION SCANNING but exactly what do they mean by this ?

EXAMPLE

Prohibited Testing

Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure are not allowed.
Do NOT test the physical security of MasterCard offices, employees, equipment, etc.
Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam)
Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials.
Do NOT use automated scanners and tools to find vulnerabilities are strictly not allowed.
Do NOT Perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.

The following finding types are specifically excluded from the bounty:

Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting / banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled
Username / email enumeration
    via Login Page error message
    via Forgot Password error message
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    Strict-Transport-Security
    X-Frame-Options
    X-XSS-Protection
    X-Content-Type-Options
    Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    Content-Security-Policy-Report-Only
SSL Issues, e.g.
    SSL Attacks such as BEAST, BREACH, Renegotiation attack
    SSL Forward secrecy not enabled
    SSL weak / insecure cipher suites
Vulnerabilities affecting users of outdated browsers or
    IE < 9
    Chrome < 40
    Firefox < 35
    Safari < 7
    Opera < 13

++++++++++++++++++++++++++++++++++++++++

most of the above does not allow a successful test


#2

I’m not going to read through that entire list right now, because I’m somewhat fatigued with studying this stuff. However, I will speculate.

I would assume that the company that wants the pen-test done makes X amount of money per hour, as long as their servers are up and running. I assume that you already know that doing automated scans does run the risk of crashing services or servers. I don’t know how often this occurs though.

And I think you are right, most of the above restricts a successful test, because an actual malicious hacker will leverage these tools to find a vulnerability. It seems as though they simply want to focus on a critical part of the application without telling you which part.

With that being said I see it’s for the SendSafely program and there are already 10 bugs found. Now I’m a somewhat experienced beginner, and it would be nice to hear what attack route those 10 people took to find the bugs.

TLDR: I agree, seems pretty restrictive, but other white hats on here figured out 10 bugs.


#3

It’s not a pentest, it’s elimination of defined bugs that organisations care enough about to pay for, a traditional web application methodology looks like this http://mdsec.net/wahh/tasks.html and you can do all that when you are the lead on a project, but the crowd source model only affords you what you are told you can play with.

I would stick to the WAHH and simply eliminate that from the scope off the checklist

jobs a good un’