Different sets of information can be provided to the penetration tester before they start the security audit. Depending on what information is shared with the pentester, the way the audit will be performed will completely change.
We can list 3 different configurations:
– Black Box Penetration Testing
– Crystal Box Penetration Testing
– Grey Box Penetration Testing
Let’s review what information is needed at the outset of the audit, and how the pentester works in the different scenarios.
Black Box Penetration Testing
Black Box simply means that you don’t see anything, you don’t know what’s inside the box, the box being the web platform of the target (client). The penetration tester knows the name of the client and perhaps an IP address or a URL. In this kind of situation, the tester will have to spend a lot of time exploring and looking for applications, websites and hidden parts of the platform.
Black Box testing was mainly done in the past, to make people aware of the risks they encounter with their web applications. It simulates the behavior of a real hacker who does not (or almost not…) communicate with the client and breaks into the platform.
It is typically not done in real web application testing, for efficiency reasons but also to ensure that the tester remains in the scope that was initially imagined by the client: Without close coordination, there is a risk that the pentester tests an application that the client does not want to test, or even worse, that does not belong to the client!
Crystal Box Penetration Testing
Crystal Box, as you can guess, means that you can see everything. The penetration tester has full access to almost any information they need: fully detailed scope (urls, IPs, ports), details about the application, any number of tests accounts, test data, source code… The communication between the pentester and the web application owner must be seamless, so that the pentester can get any information about the web application if need be.
Usually performed by internal security teams, it seems that this kind of highly-cooperative test if increasingly being performed by external security companies.
The challenge during this kind of test is mainly on the communication side, and the testing company must be trusted since they will sometimes get access to the source code of the web application.
This kind of testing can be highly integrated in the software development life cycle (SDLC) of web applications.
Grey Box Penetration Testing
With Grey Box, you can partially see what’s in the box! The penetration tester is provided with limited information, somewhere between black box and crystal box. Usually, the client provides a detailed scope of what needs to be tested, to ensure the audit remains in the boundaries of what they want to test. Although the scope has been clearly defined, the communication between the pen testing company and the client remains important: it is sometimes needed to clarify some doubts around the scope itself, or to handle some incident, and more generally to answer questions that will speed up the test and in the end result in better results.
Grey box is the most common type of tests performed on web applications, the vast majority of tests performed today fall under that category.
As part of its services, VAADATA mainly provides Grey Box Testing services. This kind of test is the most cost-efficient for clients, and requires less involvement from them, which is generally easier to manage and much appreciated.
We are also providing highly integrated testing with Crystal Box testings, for clients looking for a deeply integrated security strategy.