What are Black Box, Grey Box, and White Box Penetration Testing? [Updated 2020]


Pentesters are apparently huge fans of colors. Different roles within pentesting assignments are designated as Red Team, Blue Team, Purple Team and others. Given this, it’s not surprising that different types of pentests are designated by color as well. You may have heard of white-box, black-box, and even gray-box pentesting but may be wondering what these terms mean.

Here, we’ll describe the three types of pentesting, how to choose the right type for a given assignment and how to become a pentester yourself.

Learn about penetration testing and vulnerability scanning

This course introduces important pentesting and vulnerability terminology. This skills course covers

⇒ black/white/gray-box testing
⇒ Vulnerability scanning
⇒ Impact of vulnerabilities

Start your free trial

What are black, gray and white-box testing?

Pentesting assignments are classified based on the level of knowledge and access granted to the pentester at the beginning of the assignment. The spectrum runs from black-box testing, where the tester is given minimal knowledge of the target system, to white-box testing, where the tester is granted a high level of knowledge and access. This spectrum of knowledge makes different testing methodologies ideal for different situations.

Black-box testing

In a black-box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.

This means that black-box penetration testing relies on dynamic analysis of currently running programs and systems within the target network. A black-box penetration tester must be familiar with automated scanning tools and methodologies for manual penetration testing. Black-box penetration testers also need to be capable of creating their own map (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: