Hello everyone
After a short break, ComTech is back.

Today’s post will talk about something that is relevant to every pentest, the do’s and the don’ts of pentesting a production environments.
Let’s start:

• Don’t use or use a little as possible automated scanners.
  In application PT – use non, do all manual. In infrastructure PT – use only the most needed ones. The automated scanners that should be avoided include vulnerability scanners (Nessus, OpenVas in infra PT, Burp pro scanner, Acunetix in app PT).
• Perform as much of the test manually.
• Especially don’t use any tools in OT environment (industrial control system, SCADA). These environments are especially sensitive, and a simple port scan might crash them altogether. 
• If you do need to use tools in infra PT, make sure you mark the “safe checks” checkbox if exist (Nessus, OpenVas).
• Don’t use payloads that can cause any damange. This include innocent looking payloads such as the classic XSS and SQLI <script>alert(‘xss’)</script> and ‘ or 1=1– in app PT.
  The first might pop up a message in a production page in a persistent XSS, that would cause embarrassment to the client, and the second, if done in the wrong place, could delete all of the records in a table (if injected to a delete command), or issue a fetch command that would get all of the records and might bring the system down.
• Always clean up after yourself, and do the best effort to delete any testing records and data, especially any data stored in a persistent storage (DB).
• In infra PT (and also relevant to app PT) don’t send a large input to a tested interface, as it might also cause the system to crash.
• If money is involved, always ask the client for QA credit cards. Avoid using your own credit card in PTs. 
• Don’t change any configuration in an admin interface or CMS, unless explicitly permitted by the client.
• Open and use your test emails to make sure you won’t get spammed long after the test is over.
• Don’t do online login brute-force attack without permissions, as it might lockout production users.
• If you are testing a hosted cloud-based system, always make sure you have the appropriate permissions to do so, and that the cloud provider is aware and approves it.
• In spite of what is written above, always talk to the client and match expectations. There might be specific production environments that you could do the don’ts mentioned above.

Stay safe