(Photo by Sajad Nori on Unsplash)

In this article, we will discuss some “uncommon” password policy best practices, that are not followed by a lot of companies. Those are collected from the Penetration Testing assessments I have conducted over the years.

Company-related Passwords

Let’s take the following scenario:

  1. We have a company named “Hooli”
  2. We enforced a default…

(Photo by Kevin Horvat on Unsplash)

Through this article, we will discuss some tests and guidelines that are part of my Web Penetration Testing methodology.

Testing for Username/Email Enumeration

  • through Login Error Message Discrepancy
  • through Forgot/Reset Password Functionality
  • through Registration Form
  • through Response Time Discrepancy
  • through Response Size Discrepancy
  • through Account Lockout Message

Testing for Vulnerable Components

  • Vulnerable Libraries/Server/Proxy/Frameworks
  • Vulnerable WAF
  • Using Wappalyzer Extension

(Source: Unsplash)

Are you looking to get into Penetration Testing, Ethical Hacking, or Red Teaming? If the answer is yes, then this article is definitely for you!

What is a Penetration Test?

A Penetration Test, or commonly named “Pentest”, is the process of evaluating the security weaknesses of an organization’s assets, using similar methodologies to the ones…

Cristian Cornea

Cyber Security Enthusiast, Freelancer, Researcher, Bug Bounty Hunter and InfoSec Writer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store