Categories of Penetration Test
When the scope of the penetration test is defined, the category/type of the penetration test engage-
ment is also defined along with it.
The entire penetration test can be Black Box, White Box, or
Gray Box depending upon what the organization wants to test and how it wants the security
paradigm to be tested.
Black Box
A black box penetration test is where little or no information is provided about the specified target.
In the case of a network penetration test this means that the targetβs DMZ, target operating sys-
tem, server version, etc., will not be provided; the only thing that will be provided is the IP ranges
that you would test. In the case of a web application penetration test, the source code of the web
application will not be provided. This is a very common scenario that you will encounter when
performing an external penetration test.
White Box
A white box penetration test is where almost all the information about the target is provided. In
the case of a network penetration test, information on the application running, the correspond-
ing versions, operating system, etc., are provided. In the case of a web application penetration test
the applicationβs source code is provided, enabling us to perform the static/dynamic βsource code
analysis.β This scenario is very common in internal/onsite penetration tests, since organizations are
concerned about leakage of information.
Gray Box
In a gray box test, some information is provided and some hidden. In the case of a network pen-
etration test, the organization provides the names of the application running behind an IP; how-
ever, it doesnβt disclose the exact version of the services running. In the case of a web application
penetration test, some extra information, such as test accounts, back end server, and databases, is
provided.
When the scope of the penetration test is defined, the category/type of the penetration test engage-
ment is also defined along with it.
The entire penetration test can be Black Box, White Box, or
Gray Box depending upon what the organization wants to test and how it wants the security
paradigm to be tested.
Black Box
A black box penetration test is where little or no information is provided about the specified target.
In the case of a network penetration test this means that the targetβs DMZ, target operating sys-
tem, server version, etc., will not be provided; the only thing that will be provided is the IP ranges
that you would test. In the case of a web application penetration test, the source code of the web
application will not be provided. This is a very common scenario that you will encounter when
performing an external penetration test.
White Box
A white box penetration test is where almost all the information about the target is provided. In
the case of a network penetration test, information on the application running, the correspond-
ing versions, operating system, etc., are provided. In the case of a web application penetration test
the applicationβs source code is provided, enabling us to perform the static/dynamic βsource code
analysis.β This scenario is very common in internal/onsite penetration tests, since organizations are
concerned about leakage of information.
Gray Box
In a gray box test, some information is provided and some hidden. In the case of a network pen-
etration test, the organization provides the names of the application running behind an IP; how-
ever, it doesnβt disclose the exact version of the services running. In the case of a web application
penetration test, some extra information, such as test accounts, back end server, and databases, is
provided.