The process involved in penetration testing are following:-
Discovering a combination of legal/official functioning that will let the tester carry out an unofficial function.
Unchanged salts in source-visible projects
Human connection, using old hash/crypto function.
Fuzzing is a technique used to discover vulnerabilities. Under this approach we need to get an uncontrolled error through random input. Random input will allow the penetration tester to use less commonly used code paths. It is urgent because as we know well-written code paths would have commonly been free from buds. Errors can display information, such as HTTP server failure/collapse with full info trace-backs.
Take for example a website having several text input boxes. A few of them would be vulnerable to SQL injections on certain strings. So if we verify these textboxes by offering random strings , probably it may hit the bugged code path. The error will appear as a broken HTML page, distorted because of SQL error.
Software program have number of likely input streams including text boxes, RPC mode, the transmitted file stream, such as cookie/session data or the storage. In any of these input streams, errors can be shown.
As a penetration tester, The main goal must be to catch an unexpected error, and then examine the nature of the defect. Then write an automated tool to test this until it is corrected. Package the illegal operation so that its execution will be triggered. The unofficial activity, also known as payloads can be: