Читать книгу Web Penetration Testing - Radhi Shatob - Страница 10

What should a Penetration tester know about the system in order to perform a Pen-test? The approach that a Pen-tester should take in order to perform Penetration test should take three different stages, Black box, Gray box and white box tests.

Black Box Pen-test

Black box pen-test is that the Pen-tester has no previous knowledge about the target system and usually takes the approach of uninformed attacker. Black box pen-test simulate a realistic scenario, but some areas of infrastructure may not have tested and does not cover informed attacker penetration attempts.

White Box Pen-test

White box Penetration tests is a pen-testing approach that uses the knowledge of the internals of the target system to elaborate the test cases for example in application Penetration testing the source code of the application is usually provided along with design information or in an infrastructure Pen-testing networks diagrams, infrastructure details, etc. are provided.

The goal of a white box test is to provide as much information as possible to the Pen-tester so that he or she can gain inside understanding of the system and elaborate the test cases based on that. The advantages of a white box Pentest is that it allows to perform deep and through testing, maximizes testing time, extent the testing area and it is realistic enough.

Gray Box Pen-test

In Gray box Penetration test the Pen-tester will have a partial knowledge about the target system to check if this knowledge will allow him to penetrate and gain access to the system. Gray box testing also called gray box analysis which is strategy for software debugging in which the tester has limited knowledge of the internal details of the program.

Gray box testing is non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.