Security Audit and Penetration Testing: Tools and Methodologies

Security testing is not a one-time event — it is a continuous process that evolves alongside your application. A mature testing program combines automated scanning for known vulnerabilities with manual testing for logic flaws and business logic abuse.

Automated Vulnerability Scanning

Automated scanners provide rapid, repeatable coverage for known vulnerability classes. They are the first line of testing but cannot replace manual analysis.

OWASP ZAP (Zed Attack Proxy) is the leading open-source scanner. Integrate it into your CI pipeline for automated passive and active scanning:

# GitHub Actions: OWASP ZAP baseline scan
name: Security Scan
on:
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday scan
  workflow_dispatch:

jobs:
  zap-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Start application
        run: docker compose -f docker-compose.test.yml up -d
      - name: Wait for app to be ready
        run: sleep 30
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          target: 'http://localhost:3000'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a -j -l WARN'
      - name: Upload ZAP Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: zap-report
          path: report_json.json

Burp Suite Professional is the industry standard for manual penetration testing. Its Intruder tool enables automated parameter fuzzing, Repeater allows request modification and resend, and Scanner provides passive and active vulnerability detection.

# Burp Suite headless scanning via REST API
curl -X POST "http://localhost:1337/v0.1/scan" \
  -H "Content-Type: application/json" \
  -d '{
    "urls": ["https://staging.soninow.com"],
    "scope": {
      "include": [{"protocol": "https", "host": "staging.soninow.com"}]
    },
    "scan_configurations": [
      {"name": "Crawl and Audit - Light"}
    ]
  }'

Manual Testing Methodology

Automated scanners miss business logic vulnerabilities, privilege escalation paths, and multi-step attack chains. Manual testing follows a structured methodology to identify these deeper issues.

Reconnaissance phase: Map the application's attack surface — all endpoints, parameters, authentication mechanisms, third-party integrations, and administrative interfaces. Tools like katana and httpx automate subdomain and endpoint discovery:

# Discover subdomains and endpoints
subfinder -d soninow.com -all | httpx -silent -probe
katana -u https://soninow.com -d 3 -silent | grep -E '(\?|&)' | sort -u

Authentication testing: Test for weak password policies, user enumeration, credential stuffing resistance, MFA bypass, and session management flaws. Manual testing of login flows often reveals vulnerabilities that scanners miss — rate limit gaps, JWT alg=none acceptance, and session fixation.

Authorization testing: Test horizontal and vertical privilege escalation. Attempt to access resources belonging to other users by modifying IDs in URLs and API payloads. Attempt to perform administrative actions as a standard user.

# Testing horizontal privilege escalation
# Replace user ID in API request and observe response
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.soninow.com/v1/users/1234/profile"

curl -H "Authorization: Bearer $TOKEN" \
  "https://api.soninow.com/v1/users/5678/profile"  # Different user

Input validation testing: Test every input field for injection vulnerabilities — SQL, NoSQL, command injection, LDAP injection, and XSS. Use a combination of automated fuzzing and manual payload construction.

Vulnerability Classification and Prioritization

Not all vulnerabilities require immediate action. Classify findings by severity using CVSS v4 scoring, then prioritize remediation based on risk:

Priority Matrix:
| Severity | Exploitable | User Data | Action      |
|----------|-------------|-----------|-------------|
| Critical | Yes         | Yes       | Fix < 24h   |
| High     | Yes         | No        | Fix < 72h   |
| Medium   | Difficult   | Yes       | Fix < 2 wks |
| Low      | Difficult   | No        | Next sprint |

{
  "vulnerability": {
    "id": "VULN-2026-0042",
    "title": "Reflected XSS in search endpoint",
    "severity": "high",
    "cvss": 6.1,
    "endpoint": "/search?q=[payload]",
    "remediation": "Encode output in search results template",
    "effort": "1 hour",
    "due_date": "2026-06-26"
  }
}

Reporting Structure

A penetration test report should be actionable, not just alarming. Structure findings to guide remediation efficiently:

1. Executive Summary: Business-level overview of risk posture, number of findings by severity, and overall recommendations
2. Methodology: Scope, tools used, testing dates, and limitations
3. Critical and High Findings: Detailed technical description, proof of concept, affected endpoints, CVSS score, and remediation steps
4. Medium and Low Findings: Consolidated list with recommended fixes
5. Re-testing Results: Verification of previously identified vulnerability fixes

## Finding: Stored XSS in User Profile Bio Field

**Severity:** High (CVSS 6.1)
**Endpoint:** POST /api/profile/bio
**Parameter:** `bio`

**Description:** The user profile biography field does not sanitize HTML input.
An attacker can inject `<script>` tags that execute when other users view
the profile page.

**Proof of Concept:**

POST /api/profile/bio Content-Type: application/json

{"bio": "<script>fetch('/api/steal', {body: document.cookie})</script>"}

**Remediation:**
1. Apply HTML sanitization with `sanitize-html` or DOMPurify
2. Restrict allowed tags to `b, i, em, strong, a, p, br`
3. Strip all event handler attributes
4. Add Content-Security-Policy nonce-based protection

**Fix verified:** Yes (2026-06-23)

Tool Integration Pipeline

Automate security testing across the development lifecycle:

graph LR
    Commit --> SAST[Static Analysis - Semgrep]
    SAST --> DAST[Dynamic Analysis - ZAP]
    DAST --> SCA[Dependency Scan - npm audit]
    SCA --> SBOM[SBOM Generation - CycloneDX]
    SBOM --> Report[Consolidated Report]

• Pre-commit: lint-staged hooks run Semgrep SAST rules on changed files
• CI commit: Run npm audit, Semgrep, and Trivy filesystem scan
• Nightly: Full OWASP ZAP DAST scan against staging environment
• Weekly: Dependency scan updates and SBOM generation
• Quarterly: Full manual penetration test by security team

Remediation Tracking

Track vulnerabilities from discovery through verification. Use a dedicated issue tracker or security platform (DefectDojo, Jira with security labels) to manage findings:

# DefectDojo engagement import
defectdojo:
  engagement:
    name: "Q2 2026 Penetration Test"
    product: "SoniNow Application"
    scan_type: "ZAP Scan"
    reimport: true
  findings:
    deduplication: true
    minimum_severity: "Medium"

Each finding requires: assigned owner, remediation deadline, verification method, and verification date. Re-testing is not complete until the fix is deployed and the vulnerability is confirmed mitigated.

Regular security testing is essential for maintaining a strong security posture. Our <a href="/services/web-development">web development team</a> integrates security testing into every phase of development. Contact SoniNow to schedule a comprehensive security audit.