Penetration Testing
A security testing method where authorized testers simulate real-world attacks against a system to identify vulnerabilities before malicious actors can exploit them.
Penetration testing (pen testing) goes beyond automated vulnerability scanning by employing human creativity and attack techniques. Testers attempt SQL injection, cross-site scripting (XSS), authentication bypasses, privilege escalation, and other attacks against the application. Results are documented with severity ratings and remediation recommendations.
Pen tests can be black-box (tester has no internal knowledge), grey-box (tester has partial knowledge like user credentials), or white-box (tester has full access to source code and architecture). For web applications, the OWASP Testing Guide is a widely used framework.
Why It Matters for QA Teams
Websites handle sensitive user data and are constantly targeted by attackers. Penetration testing reveals exploitable vulnerabilities that automated scanners miss, helping teams fix them before a real breach occurs.
Example
A penetration tester discovers that the 'Edit Profile' endpoint does not validate user authorization properly. By modifying the user ID in the API request, they can edit any user's profile, not just their own. This Insecure Direct Object Reference (IDOR) vulnerability is flagged as critical severity.