I want to start a penetration testing company and I already have the website (Created in html, css and PHP)
A website owner/ sysadmin who wants to hire me for a pentest can contact me via mail. He has to say with website he owns and wants to get tested by me.
But there is one problem
If somone claims to be the owner of www.example.com but he isn't and I test it, then the actual owner didn't gave me permission and that's illegal. And if I give the report with the vulnerabilities to the person who claims to be the owner of the site, then he can just send a mail to the real owner and he can act like he found the bugs.
So how can I prevent this from happening? (by the way: a web penetration test from my "company" costs about €50-100 with is really cheap)
Should I ask for the website files as authentication? (server side files included because only the website owner has access to server-side files like PHP)
Thanks in advance
That isn't really a programming question, but an interesting one.
You may ask website owner to put some specific file to the website directory, so it will be accessible by requesting it directly in web browser.
You also may create a client software that will automate this process and made sure that the access to this test file is not blocked by redirect rules. Basically, that's how Let's Encrypt ACME challenge works.
Check out this link - https://letsencrypt.org/how-it-works/