Black Box penetration testing vs White Box penetration testing

One of the common questions that we get from our clients is about the differences between a black box penetration test and a white box penetration test.

White box testing, also known as clear box testing or glass box testing, is a penetration testing approach that uses the knowledge of the internals of the target system to elaborate the test cases. In application penetration tests the source code of the application is usually provided along with design information, interviews with developers/analysts, etc. In infrastructure penetration tests network maps, infrastructure details, etc. are provided. The goal of a white box penetration test is to provide as much information as possible to the penetration tester so that he/she can gain insight understanding of the system and elaborate the test based on it.

White box penetration testing has some clear benefits:

  • Deep and thorough testing
  • Maximizes testing time
  • Extends the testing area where black box testing can not reach (such as quality of code, application design, etc.)

However, there are also some disadvantages:

  • Non realistic attack, as the penetration tester is not in the same position as an non-informed potential attacker

A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. In a black box penetration test the penetration tester has no previous information about the target system.

The benefits of this type of attack are:

  • It simulates a very realistic scenario

The disadvantages of a black box penetration test are:

  • Testing time cannot be maximized in certain scenarios
  • Some areas of the infrastructure might remain untested

When commissioning a penetration test, there is no right/wrong decision about white box or black box, it really depends on the scenario that needs to be tested.


Share this



Related Articles

Beware of Black Friday hackers

Today is black Friday and many are flocking shops to try and find the best deal of the year… but for those who won’t

Are you visible? Are you involved in the right causes?

It does not matter how many qualifications you have, if you don’t know how to make yourself visible, they still will not be enough.

External Audit of information and communication technology systems of Supervised Financial Institutions (SFIs)

On July 10, 2019, Bank of Uganda issued Instruction Circular ‘EDS.306.2 as a follow-up to circular Ref: EDS.306.2 dated July 13, 2017, with respect

How to nurture good culture, part 2

What is your culture? This question is asked often. Few have the answers. The reason for this is simple: you live culture. There is

About Author