Comprehensive Manual Penetration Testing

Results and Reports

Comprehensive Manual Penetration Testing (MPT) extends beyond identifying and documenting discrete vulnerabilities. The purpose of these assessments is more situational, creating scenarios to investigate whether multiple lower-risk flaws can be compounded into a larger attack scenario.

This testing provides a better understanding of whether identified flaws affect the confidentiality, integrity, or availability (CIA) of the application. For example, a manual tester can use a combination of tools, techniques, and custom approaches to determine whether it is possible for an attacker to:
  • Circumvent authentication and authorization mechanisms
  • Escalate application user privileges
  • Hijack accounts belonging to other users
  • Violate access controls placed by the site administrator
  • Cause the unauthorized access of data
  • Alter data presentation
  • Circumvent application business logic
  • Circumvent application session management
  • Break or analyze use of cryptography within user accessible components
Veracode asks organizations to complete a questionnaire to define the scope of manual penetration testing. The defined scope enables the Veracode team to determine the service offerings that most effectively suit the needs of the assessment while maximizing test coverage.

The test coverage and composition of identified vulnerabilities generally correlates to the current SANS Top 25 or OWASP Top 10 categories.