A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.

2. Vulnerability Assessment
 A vulnerability assessment is the process of defining,
identifying, classifying and prioritizing vulnerabilities
in computer systems, applications and network
infrastructures and providing the organization doing
the assessment with the necessary knowledge,
awareness and risk background to understand the
threats to its environment and react appropriately.

3. What is Penetration Testing
 A penetration test, also known as a pen test, is a
simulated cyber attack against your network,
infrastructure, devices, computer system or any other
environment to check for exploitable vulnerabilities.

4. Types of Penetration Tests
 Black Box Penetration Testing
 White Box Penetration Testing
 Grey Box Penetration Testing

5. Black Box Penetration Testing
 In black box penetration testing, tester has no idea
about the systems that he is going to test. He is
interested to gather information about the target
network or system. For example, in this testing, a
tester only knows what should be the expected
outcome and he does not know how the outcomes
arrives. He does not examine any programming codes.

6. White Box Penetration Testing
 This is a comprehensive testing, as tester has been
provided with whole range of information about the
systems and/or network such as Schema, Source code,
OS details, IP address, etc. It is normally considered as
a simulation of an attack by an internal source. It is
also known as structural, glass box, clear box, and open
box testing.
 White box penetration testing examines the code
coverage and does data flow testing, path testing, loop
testing, etc.

7. Grey Box Penetration Testing
 In this type of testing, a tester usually provides partial
or limited information about the internal details of the
program of a system. It can be considered as an attack
by an external hacker who had gained illegitimate
access to an organization's network infrastructure
documents.

8. Penetration Testing Stages

9. Top 10 Common Vulnerabilities
 SQL Injection
 Cross Site Scripting
 Broken Authentication and Session Management
 Insecure Direct Object References
 Cross Site Request Forgery
 Security Misconfiguration
 Insecure Cryptographic Storage
 Failure to restrict URL Access
 Insufficient Transport Layer Protection
 Un-validated Redirects and Forwards

10. Vulnerability Assessment Tools
 Nexpose Community
 QualysGuard
 OpenVAS
 Nikto
 Nmap
 Nessus Professional
 Acunetix
 Netsparker
 IBM AppScan
 Burp Suite

11. Demo Website and VMs
 https://demo.testfire.net
 http://testphp.vulnweb.com
 OWASP Mutillidae II
 Attack-defense online lab