Close Menu
    What's Hot

    Why GRC Services Are Vital for Business Growth and Compliance in 2025

    July 1, 2025

    Ultimate Guide to Attack Surface Scanning

    April 10, 2025

    Recent Trends in Zero Trust Architecture

    March 3, 2025
    Facebook X (Twitter) Instagram LinkedIn WhatsApp
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    • Bug Bounty

      A Beginner’s guide to Active Directory Penetration Testing

      June 21, 2023

      Building an XSS Scanner with Python

      February 27, 2023

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

      January 13, 2023

      How To Find DOM-based XSS Vulnerability

      December 27, 2022
    • Pen Testing

      Privileged Escalation: How Hackers Exploit Permissions to Compromise Your Systems

      March 5, 2024

      The Ultimate Guide to Vulnerability Scanning

      December 13, 2023

      Top 10 Tools for Real World Red Teaming

      November 18, 2023

      Locking Down OAuth 2.0: Critical Steps to Protect User Accounts and Data

      November 10, 2023

      Detailed guide on Password Transmutations

      April 29, 2023
    • Cyber Security

      Why GRC Services Are Vital for Business Growth and Compliance in 2025

      July 1, 2025

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      A Comprehensive Guide on Cyber Security Services VS Cyber Security Products

      June 14, 2024
    • Services
    • Product
      • Certifications
    • More
      1. Ethical Hacking
      2. Kali Linux
      3. Write Ups
      4. CTF
      5. Blockchain
      6. Machine Learning
      7. Computer Science
      8. View All

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      Pentest/VAPT RoE and Best Practices

      February 3, 2023

      Emoji Deploy Attack Chain

      January 24, 2023

      Introduction to Information Security

      January 11, 2023

      Cyber Security Roadmap (Part-2)

      October 25, 2022

      How to install waybacksurls in kali linux (2022)

      September 23, 2022

      How To Find Hidden Parameters

      November 12, 2022

      Top 10 Subdomain Takeover Reports

      November 6, 2022

      Pause DeSync Attack :

      November 3, 2022

      Bypassing OTP Verification Methods

      October 31, 2022

      Tryhackme Vulnversity walkthrough

      September 26, 2022

      Why GRC Services Are Vital for Business Growth and Compliance in 2025

      July 1, 2025

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      A Peek into Facial Recognition Technology

      August 21, 2023

      How Data Scientists and Machine Learning Engineers Differs

      November 8, 2022

      Artificial Neural Networks with ML

      November 4, 2022

      INTRODUCTION TO MACHINE LEARNING

      October 20, 2022

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024

      BCI: Merging Minds With Machines

      August 18, 2023

      Is Quantum Computing the future of Computing?

      August 16, 2023

      Why GRC Services Are Vital for Business Growth and Compliance in 2025

      July 1, 2025

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    Home»Cyber Security»Pentest/VAPT RoE and Best Practices
    Cyber Security

    Pentest/VAPT RoE and Best Practices

    Shakshi TripathiBy Shakshi TripathiFebruary 3, 2023Updated:February 4, 2023No Comments5 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Pentest/VAPT Rules of Engagements (RoE) and Best Practices

     

    01. Use one excel spreadsheet workpaper for everyone that should include project details, type of project (grey/black box), and credentials. Nmap, Dirsearch, Nuclei, and Burp Crawler raw outputs in each sheet. Issues in a new sheet. Any useful info during the test is in another tab. Save it using password protected feature.

    02. Log public IPs on each day before starting the test and at the end of the test. This helps in case a client asks you for an investigation. This should also go into the workpaper.

    03. Whitelist your IP or custom user-agent header to bypass the firewall and test the actual site behind the WAF to discover all the issues. The
    testing of the real site is necessary in case anything happens with WAF tomorrow or a zero-day comes in it, and clients would be protected
    if their actual site was tested in the past for all flaws.

    04. Use the scanner to cover every possible request and parameter to be tested.

    05. Get consent from the client before running any automated scans. If a client resists, make them understand the benefits of using the controlled automated scanner in order not to miss out on any vulnerabilities.

    06. Ensure scanner profiles are mentioned in SOP and shared with the team through a centralized location. Light scan and normal scan profiles are to be created at a minimum for various tools such as BurpSuite, Nessus, Qualys, or other relevant ones.

    07. Create a report review checklist based on the format of the report and share it with the team using a centralized location. Each individual is responsible for reviewing their own report before submitting it to the senior for review.

    08. Generate a mindmap for business logic flaws and ensure you put it in the same client folder where PoCs and workpaper are. Create all the test cases for the business logic flaws based on the request parameters.

    09. Use a custom user-agent header (still in the format of firefox or chrome but add some unique random string of 12/15 characters between
    titles. This is helpful for the investigation when a client comes to us and says we are getting a lot of traffic. Are you guys scanning?

    10. Ask testers to save BurpSuite states every single day distinctly. This helps investigate in future we did. Did we miss something, or have we
    covered XYZ? Not to use the previous day’s burp state by importing it.

    11. The report must be shared with the client in a password-protected PDF zip file only, and the password must be shared via another medium (E.g., SMS, avoid using 3rd party cloud apps (WhatsApp/Teams/Emails.)

    12. Suppose a project is of 1 week; provide an interim one pager Summary report on the 3rd or 4th day consisting of at least the progress of the project, things are done/pending, issues identified, etc.

    13. During your VAPT project, if you find any critical issue, report it asap using an advisory template and ask the client to get on a call to fix it ASAP without waiting to complete the entire project.

    14. Test during the defined hours only and by using the company’s corporate/lab network only.

    15. Have a dedicated internet access minimum LAN to perform VAPT on apps or networks. Ensure your router is not filtering packets based on the number of packets and request types. It should allow anything and everything transmitting through it without being smart.

    16. Ensure that only a few people test and flood packets through the same network. Not all testers are performing clients’ projects at the
    same time in the same network. If so, balance your load by using dedicated networks.

    17. Create a separate virtual machine or host system to run the VAPT, so it does not affect the existing system. Ensure you take a snapshot every month or at least after a significant change (installation of a new tool, deletion of something, changing the major configuration, etc.)

    18. Invest in commercial tools and do not use cracked versions. This includes security tools like BurpSuite/Nessus/Qualys, MS Office, and other productivity tools.

    19. Ensure that with all these RoEs (Rules of Engagements), the team has synergy in their work and the output they generate.

    20. Perform regular reviews and assessments of your VAPT processes and procedures to identify any areas for improvement. This can help ensure that your testing is effective, efficient, and compliant with relevant standards and regulations.

    21. Use a password manager for all the accounts you manage for your company/team and password-protected client reports.

    22. Use a version control system to manage and track changes to your workpapers, tools, and other assets used during VAPT testing. This can help ensure that you have a complete and accurate record of your testing activities and can easily revert to previous versions if needed.

    23. Understand the feature you are testing in the web app and think of a backend infrastructure/service/support; based on that, use a scanner/intruder or any automated requests carefully. You may generate a lot of traffic that may result in numerous tickets in the support center. E.g., Contact us page, Chat box, Complaint page, and Other relevant pages.

    24. Maintain a library of commonly used tools, scripts, and resources that can be used during VAPT testing. This can help streamline the testing process and reduce the time and effort required to conduct testing.

    25. Before closing the engagement, obtain written confirmation from the client that all vulnerabilities or security issues have been addressed.

    26. Have an updated VAPT checklist at least of the web, network, iOS, and Android. Share using a common drive and force everyone to use it.
    Ensure one person is dedicated to updating that by following weekly/monthly resources of new vulnerabilities, write-ups, etc. The manager must review the checklist.

    We will explore more in our next upcoming blogs…

    Thank you for reading!

    Author

    • Shakshi Tripathi
      Shakshi Tripathi

      View all posts

    Cyber-Security Cybersecurity Ethical-Hacking Information Security informationsecurity infosec pentesting VAPT Vulnerability Assesment
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleWhat is digital forensics?
    Next Article Application Security and its types
    Shakshi Tripathi

    Related Posts

    Cyber Security

    Why GRC Services Are Vital for Business Growth and Compliance in 2025

    July 1, 2025
    Cyber Security

    Ultimate Guide to Attack Surface Scanning

    April 10, 2025
    Cyber Security

    Recent Trends in Zero Trust Architecture

    March 3, 2025
    Add A Comment
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    How to install waybacksurls in kali linux (2022)

    September 23, 20222,585 Views

    File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

    January 13, 2023897 Views

    OSCP Cheat Sheet

    October 16, 2022852 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Advertisement
    X (Twitter) Instagram LinkedIn WhatsApp Telegram
    • About us
    • Contact Us
    • Privacy Policy
    • Terms
    © 2025 HITH Blog. Powered by Hackerinthehouse.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.