Lessons Learned from Real-World Pentests

Insights from the Field

Every pentest is a learning opportunity. Here are some practical lessons and tips gathered from recent web, mobile, API, and network security assessments - what worked, what didn't, and how you can improve your own testing process.

1. Scoping and Communication Are Everything

• Clarify the scope early - include all domains, APIs, and mobile endpoints. Ask for architecture diagrams and user roles.
• Keep communication channels open with the client for quick clarifications and reporting critical findings. Use a dedicated chat or ticketing system if possible.
• Document assumptions and out-of-scope items to avoid misunderstandings. Confirm test accounts and permissions up front.

2. Recon Pays Off

• Automate subdomain and endpoint discovery (tools like amass, subfinder, ffuf).
• Check for forgotten staging/dev environments - they often yield easy wins.
• Review mobile app traffic for hidden APIs or undocumented endpoints using tools like mitmproxy or Burp Suite.
• Use waybackurls and gau to find legacy endpoints.

3. Don't Rely Solely on Automated Scanners

• Automated tools are great for coverage, but manual testing finds business logic flaws and privilege escalation issues.
• Always validate scanner findings - false positives are common, especially for APIs and mobile endpoints.
• Combine static and dynamic analysis for mobile apps (e.g., MobSF + runtime testing).

4. Test Authentication and Authorization Thoroughly

• Test for IDOR, broken access control, and privilege escalation in both web and mobile apps.
• Try using tokens/cookies from one user with another's account. Check for horizontal and vertical privilege escalation.
• Check for weak password policies, missing MFA, and insecure session management (e.g., JWTs without expiry).
• For APIs, fuzz endpoints with different roles and tokens.

5. API Security Is Often Overlooked

• Look for excessive data exposure, lack of rate limiting, and missing input validation.
• Test undocumented endpoints and fuzz parameters for hidden vulnerabilities (e.g., Burp Intruder, ffuf).
• Check for GraphQL endpoints and test for introspection and authorization issues.

6. Network Assessments: Basics Still Matter

• Default credentials, open ports, and outdated services are still common issues. Use nmap and nuclei for quick checks.
• Map the network thoroughly and look for pivot opportunities (e.g., VPN, jump hosts).
• Check for exposed management interfaces and weak segmentation.

7. Reporting: Make It Actionable

• Prioritize findings by business impact, not just CVSS score. Explain the real-world risk in plain language.
• Provide clear, reproducible steps and remediation advice. Include curl/HTTPie examples for API issues.
• Include screenshots, PoCs, and affected user roles where possible.
• Offer a debrief call to discuss findings and remediation strategies.

8. Continuous Learning and Improvement

• Keep up with new attack techniques (follow blogs, Twitter, and bug bounty write-ups).
• After each assessment, review what worked and what didn't - update your methodology and checklists.
• Share lessons learned with your team or the community to help others avoid common pitfalls.

Real-World Examples

• Web: HackerOne: IDOR Allows Viewing Private Report Details – Changing an ID in a JSON endpoint revealed details of private bug reports.
• Web: Glovo: Exposed secrets in public repository – Valid AWS, MySQL, and SendGrid secrets were discovered in a publicly accessible GitHub repository.
• API: Khan Academy: Account Takeover via Leaked Credentials – Credentials were found in a specific URL format, allowing unauthorized account access.
• Network: U.S. Dept of Defense: Open Elasticsearch Instance – An Elasticsearch server was exposed to the internet without authentication, leaking sensitive data.

Final Thoughts

The best pentesters are always learning. By reflecting on what worked and what didn't, you can continually improve your methodology and deliver more value to your clients. Stay curious, keep testing, and share your lessons with the community!