Black, Grey, White box Pentest

During a security audit, 3 approaches are possible. They reflect different levels of information and access given to pentesters.
The choice of the approach for a penetration testing depends on your objectives: how deep do you want the tests to be? And would you like to test the external or internal threat?

Black Box Penetration Test

A black box security audit is carried out in the closest conditions to an external attack performed by a remote unknown attacker. This mean that no (or almost no) information is provided to the pentesters before starting the tests.

The black box expression refers to the analysis of the system/the target, which is conducted without knowing its internal working[1].

Pentesters only know the name of the target organisation and often an IP address or a URL. The attack surface is therefore broad. Time is first spent exploring the various elements included in the target, before prioritising the attacks according to the elements discovered during this recon phase.

Black box pentesting enables a freedom of choice of targets (when the target includes several assets) in order to maximise the impact of discovered vulnerabilities, as in the case of a real malicious attack. This audit requires very little preparation from you as a contractor.

One of the advantages of this approach is that pentesters bring a fresh look at the target and thus a new assessment of potential entry points from an attacker’s point of view. This avoids, for example, focusing tests only on what is perceived as important to secure, while the risks of other elements may be underestimated.

It is possible to conduct a black box pentest without notifying the teams in charge of detecting attacks, in order to see the company’s ability to detect an attack and react appropriately.

White Box Penetration Test

Contrary to the black box, a white box (sometimes crystal box) security audit means that the maximum amount of information is shared with the pentesters before the audit. The information necessary for the audit is provided in complete transparency. The working of the target is then known and made visible, hence the term white box.

The information can be architecture documents, administrator access to servers, access to source code…

The white box security audit is not a pentest in itself, since auditors do not place themselves from the point of view of an attacker. It is a more thorough security analysis than a penetration test, providing a better understanding of where security problems originate. It also uncovers vulnerabilities that are not visible during a pentest, but which may cause a security risk even so.

Grey Box Penetration Test

During a grey box pentest, pentesters start having already information about their target. This may consist in providing information on the working of the audit target, providing user accounts on a platform with restricted access, providing access to a target that is not publicly accessible, etc. This allows more in-depth testing, with a better understanding of the context.

For a grey box security audit, the attack surface is a defined scope. This enables focus tests on elements that have already been identified: the most high-risk areas, sensitive elements, elements accessible internally, etc. It is the audit that enables attacks to be simulated from customers, partners, visitors and employees’ situation.

One of the advantages of this approach is that it is possible to set a precise scope for the tests, according to your priorities, for example to test only the latest elements put in production or particularly sensitive functionalities.

In short and simplified, 

  • Black box: tests from the point of view of an external attacker, minimum level of information made available to pentesters
  • Grey box: standard user’s point of view, intermediate level of information shared with pentesters
  • White box: an administrator’s point of view, maximum level of information provided

The vulnerabilities identified during a black box and grey box pentest therefore represent direct and immediate risks for the organisation, while a white box audit enables further security analysis.
It is totally possible to choose different approaches depending on the targets and the company’s security maturity on different scopes. You can also consult our white paper How to Define the Scope of a Pentest, in order to have the keys to define a scope and a pentest strategy.

[1] https://en.wikipedia.org/wiki/Black_box