The tech industry is synonymous with abbreviations, and cyber security is no different. 

TLAs (three letter abbreviations), acronyms, other abbreviations and unfamiliar names or terms are the norm. 

As a result, in this blog we have collated an A-Z glossary for the world of pentesting.  In fact, we’ve split the alphabet to create two blogs, starting with the letters A-M.

So, if you are unsure of command injections, want to know the difference between IDS and JWT or Black Box and White Box testing, then read on.

A – Authentication

Almost every system uses a method of authentication, to maintain data confidentiality.  SQL injection can be used to attempt authentication bypass, by convincing a database that a login statement is legitimate.

The most common example is the use of the statement OR 1=1 in a password parameter.

Methods of authentication can include passwords, biometrics, key-based or MFA (multi-factor authentication), all of which have the goal of ensuring that only an authorised person gains access to a resource.

B – Black Box Testing

Most penetration testing can be broken down into either white box or black box testing. These terms are ways of describing how much information a penetration tester has about the target system.

For black box testing, little to no information is provided by a client and a penetration tester is required to test a target in a similar fashion to a cyber criminal.

In the real world, where time costs money, most people opt to conduct white box testing, meaning testers do not have to complete simple actions that take time, but do not offer any real value, for example brute forcing a log in, when it is better to be provided credentials and then test a system.

C – Command Injection

Command injection is typically a web application vulnerability that can include SQL injection, OS injection, LDAP injection.

Ultimately, this vulnerability focusses on an attacker’s ability to submit their own command, which will be executed by the vulnerable service. Most commonly, when referring to Command Injection, people are referring to OS injection, where it is possible to inject commands understood by a server.

Common proof of concepts for this could be a ping request to an attacker-controlled device. Network traffic can then be monitored to see if the victim has attempted to ping the attacker and, if successful, the next step would be to achieve shell access.

D – Data Exfiltration

Data exfiltration is the process of stealing potentially sensitive information from a computer.

The simplest methods to achieve this would be through protocols such as FTP, HTTP or via email.

More advanced techniques can use protocols such as DNS or ICMP to smuggle data out in seemingly legitimate traffic.

E – Encryption

Encryption is the process of converting plain text data into ciphertext, with the goal of protecting it from unauthorised access.

There are two main types of encryption – symmetric and asymmetric:

🔒 Symmetric uses the same key to encrypt and decrypt data

🔒 Asymmetric uses a ‘key-pair’, where there is a public and private key for each person, when sending data:

– the *sender* encrypts to the *recipients* public key

– the *recipient* then decrypts the data with their private key

F – Firewall

A firewall can be a network or host-based system that focusses on incoming and outgoing traffic, and uses specific rules to identify whether it wants to allow it or block it.

Most commonly, firewalls use source and destination ports to understand what traffic is being sent and will act according to its rules.

When hearing the phrase ‘any any’ in the context of a firewall, people are discussing weak rules that are allowing data from any protocol to talk to a computer with any IP address (this is not a good thing, as it means there is no actual filtering happening).

G – GET Request

In web technology, applications will most commonly use POST and GET requests.

GET is an http method that is used to request data from a server. When sending a GET request, parameters will typically be sent via a URL.

This means that it’s not appropriate to send sensitive information via a GET request, as it may be saved in browser history, proxy history, or cached by servers.

H – Hash

A hash is a string of characters created when text has gone through a one-way mathematical algorithm. Once something has been hashed, it cannot be ‘de-hashed’.

Typical uses for hashing are:

🔒 Storing passwords – different operating systems use different hashing algorithms.

🔒 File validation – by creating a hash value of a file, it is possible to provide a method of confirming a file has not been modified (if you download a file and the hash value has changed, then the file has potentially been tampered with).

I – IDS

An IDS – or Intrusion Detection System – is a piece of software that monitors network traffic and will alert a SIEM if it identifies an attack.

It is a passive piece of software that will not stop an attack or protect a company, but will be helpful in starting an incident response process.

If a client has an IDS, it’s not uncommon to whitelist a tester’s IP address during penetration testing, so as not to cause unnecessary alerts and potentially obfuscate a real attack.

J – JWT

A JWT (or JSON Web Token) is a way of providing authentication and authorisation to a web application.

JWTs are made up of three parts:

🔒 Header: defines the type of token and signing algorithm

🔒 Payload: contains the data a pentester would be interested in (username, account privilege etc.)

🔒 Signature: a signature created that will be checked, to make sure that no modifications have happened during transmission.

JWTs can be Base64 decoded to see the information in each of these parts.

K – Key

A key is a piece of data that is used to encrypt or decrypt data.

Instead of using a password, key-based encryption is preferred, as an attacker would need to gain access to the key (which is a file) to be able to decrypt data.

Key-based encryption is commonly used in the SSH protocol, instead of password authentication.

L – Lateral Movement

Lateral movement is the process of moving through a network to gain access to more targets, data, resources.

When a real-world attack occurs, attackers have a ‘breach point’ into a network via their initial attack; however, it is unlikely they will be happy having access to just one device.

Instead, attempts will likely be made to achieve lateral movement, to access servers and domain controllers too.

M – Machine-in-the-Middle

A machine-in-the-middle attack requires an attacker to be able to intercept traffic going between two parties, without either one realising it. This allows the attacker to view all the traffic and potentially see sensitive data.  Common MitM attack methods are:

ARP spoofing – where an attacker must be on the same network and uses the ARP protocol to convince a target they are someone else.

DNS spoofing – where an attacker will intercept and redirect DNS requests to a malicious server that will provide fake IP addresses for websites.

Coming soon – part two of our A-Z of pentesting terms.