Crystal Box Test
In a crystal box test, we have the source code (or full configuration information of infrastructure components) while performing gray box testing. This test is also known as a white box test. While we normally will not perform a full source code review during a vulnerability or penetration test, we do use the source code to identify vulnerabilities in security functions. Especially vulnerabilities in input validation, cryptographic handling and authorization models can be found much more efficiently this way. Having access to the source code or detailed configuration information during a test allows us to answer the question: “How well is my data really protected?”.
Keep in mind though, that the distinction between black, gray and crystal box testing is not a strict one, mixing forms is possible.
For instance, a common combination when testing web application security is to perform black box testing on the infrastructure, and gray box testing on the application itself. Another common black box penetration test is a pentest of the internal network (plug in and see how far you can get). In such an internal penetration test we have no information upfront and we try to get access to all the data via exploiting vulnerabilities (usually by gaining domain administrator rights during that process).