About MPT testing
Veracode performs all Manual Penetration Testing (MPT) testing according to industry-standard testing methodologies, where applicable, using specific testing objectives.
Testing types and methodologies
The following table describes testing types, methodologies, and vulnerability types that form the foundation of Veracode MPT.
To learn more, see the Methodology section in the Veracode Detailed PDF Report and Customizable PDF Report of your MPT results.
| Test type | Methodology | Vulnerabilities |
|---|---|---|
| Web application or API | PTES (Penetration Testing Execution Standard), OWASP Testing Guide | OWASP Top 10 and CWE Top 25 |
| Mobile application | PTES, OWASP Mobile Security Testing Guide | OWASP Mobile Top 10 |
| Desktop or thick-client application | PTES, OWASP recommended testing guidance and best practices | Application Logic Code Injection Local Storage Binary Exploitation and Reverse Engineering Excessive Privileges Unencrypted Storage of Sensitive Information Unencrypted Transmission of Sensitive Information Weak Encryption Implementations Weak Assembly Controls Weak GUI Controls Weak or Default Passwords |
| Internet of Things (IoT) and embedded systems | PTES, OWASP IoT Testing Guide and other industry best practices | OWASP IoT Top 10 |
| Infrastructure and operations (DevOps Penetration Testing) | PTES, NIST SP 800-115, PCI DSS 11.3 (for PCI engagements) | Can vary depending on scope and rules of engagement |
Testing standards
To classify and report vulnerabilities from MPT tests, we use the following industry standards.
- Common Vulnerability Scoring System (CVSS) v3
- Common Weakness Enumeration (CWE)
- Common Attack Pattern Enumeration and Classification (CAPEC) - see the supported attack patterns.
Penetration testing objectives
The stated objectives of a manual penetration assessment are:
- Perform testing, using proprietary or public tools, to determine whether it is possible for an attacker to:
- Circumvent authentication and authorization mechanisms
- Escalate application user privileges
- Hijack accounts belonging to other users
- Violate access controls placed by the site administrator
- Alter data or data presentation
- Corrupt application and data integrity, functionality, and performance
- Circumvent application business logic
- Circumvent application session management
- Break or analyze use of cryptography within user-accessible components
- Determine possible extent access or impact to the system by attempting to exploit vulnerabilities
- Score vulnerabilities using the Common Vulnerability Scoring System (CVSS)
- Provide tactical recommendations to address security issues of immediate consequence
- Provide strategic recommendations to enhance security by leveraging industry best practices
Web application penetration testing objectives
The stated objectives of web application and API penetration testing involve using proprietary or public tools to:
- Assess how vulnerabilities might be exploited against a target while establishing a running profile of attack methods discovered.
- Execute test cases to confirm the vulnerability and attempt to determine the impact to business.
- Customize and expand attack payloads, accounting for the specifics of the implementation of the target and environment.
- Analyze captured data for vulnerability patterns, interpreting the results, and developing remediation recommendations.
Detected vulnerabilities
To achieve the stated objectives, pentesters attack your applications to identify the following security vulnerabilities, as applicable to your development environment.
- Cross Site Scripting (XSS)
- SQL Injection
- Command Injection
- Cross Site Request Forgery (CSRF)
- Authentication/Authorization Bypass
- Session Management testing, including token analysis, session expiration, and logout effectiveness
- Account Management testing, including password strength, password reset, account lockout, etc.
- Directory Traversal
- Response Splitting
- Stack/Heap Overflows
- Format String Attacks
- Cookie Analysis
- Server Side Includes Injection
- Remote File Inclusion
- LDAP Injection
- XPATH Injection
- Internationalization attacks
- Denial of Service testing at the application layer only
- AJAX Endpoint Analysis
- Web Services Endpoint Analysis
- HTTP Method Analysis
- SSL Certificate and Cipher Strength Analysis
- Forced Browsing