What are Black Box, Grey Box, and White Box Penetration Testing?


Pentesters are apparently huge fans of colors. Different roles within pen testing assignments are designated as Red Team, Blue Team, Purple Team and others. Given this, it’s not surprising that different types of pentests are designated by color as well. You may have heard of white-box, black-box, and even gray-box pen testing but may be wondering what these terms mean.

Here, we’ll describe the three types of pentesting, how to choose the right type for a given assignment and how to become a pen tester yourself.

What Are Black, Gray, and White Box Testing?

Pentesting assignments are classified based on the level of knowledge and access granted to the pentester at the beginning of the assignment. The spectrum runs from black-box testing, where the tester is given minimal knowledge of the target system, to white-box testing, where the tester is granted a high level of knowledge and access. This spectrum of knowledge makes different testing methodologies ideal for different situations.

Black-Box Testing

In a black-box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.

This means that black-box penetration testing relies on dynamic analysis of currently running programs and systems within the target network. A black-box penetration tester must be familiar with automated scanning tools and methodologies for manual penetration testing. Black-box penetration testers also need to be capable of creating their own map of a target network based on their observations since no such diagram is provided to them.

The limited knowledge provided to the penetration tester makes black-box penetration tests the (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/SEjdyE4gs_M/