Exploitation

During the exploitation phase, the pentester uses the information gathered to carry out an exploit on the target. There are many types of exploits: code injections, gaining access using a cracked password or unprotected point of entry, man-in-the-middle attacks, and spoofing just to name a few.

Social engineering is an important type of exploit in which a common weak link in any system is exploited: people. Social engineering methods can be as simple as talking to a target to extract information or as dastardly as disguising as a technician to break into a secure location or pick-pocketing an access card from an employee.

The odds of being detected during this stage are much higher than the previous stage of enumeration since there are many digital and physical protections designed to detect and prevent exploits. This is where most script kiddies are stopped in their tracks. A crafty pentester, however, has obtained not only excellent information from the previous stages but also has the tools and experience to know which vulnerabilities and exploits to use in order to maximize success and minimize detection.

WEB APPLICATIONS

Command Injection
- Cross Site Scripting
- SQL Injection

Exploitation

WEB APPLICATIONS

Cookie Tampering

URL Basics - Manipulation and Directory Traversal

SSRF

IDOR

File Inclusion

Command Injection

Cross Site Scripting

SQL Injection