It is trivial to understand the stages of an application pentest as it lays the groundwork and ensures that the pentester covers all the possible endpoints and does an efficient scan. A web application pentest is broadly categorized in the following stages:
- Planning and reconnaissance
- Client end code analysis
- Manual testing
- Automated testing
- Exploiting discovered issues
- Digging deep for data exfiltration
- Taking shells
- Reporting
Among these stages, the planning and reconnaissance stage is the most important stage, as there are possibilities that a tester might miss out critical entry endpoints into the application, and those areas might go untested. Let's explore in a little more detail what happens in each stage.