How to conduct penetration testing?

1. Do reconnaissance, which is gathering of information about the system you want to Pen-test.

2. Discover the technology the system is operating on.

3. Search for information that is secret and sensitive or classified to the organization that are not supposed to be posted on web.

4. Assess the site configuration and file management, extension in use.

5. Evaluate the transmission protocols such as SSL/TLS version.

6. Assess cipher suite being used, check cookies and session identity.

7. Check those cookies that are reflected input and susceptible to forged request.

8. Assess methods used for data validation and sanitation errors handling.