Black / Gray / Crystal Boxes

Black / Gray / Crystal Boxes

The efficiency and outcome of testing is heavily influenced by the information available to testers upfront. We generally make a distinction between three types of pentesting: black, gray and crystal (also known as white) box testing.

Black Box Test

With a black box test we do not know anything beforehand except for the target addresses. Black box testing provides you with an answer to the question: “What could an average attacker with limited time and resources do?”.

Black box testing typically uncovers ‘low hanging fruit’, but lacks the depth necessary for an answer to questions such as “how well protected is my data really?”. In black box testing, a vulnerability assessment is carried out, identifying entry points for an attacker. Further penetration of the deeper layers is then performed by exploiting concrete vulnerabilities. Since no credentials (usernames and passwords) are available to us, most business logic issues and authorization model failures, will not be identified. However, you will have an excellent view of all attack surfaces an attacker could abuse, using black box testing.

Gray Box Test

The gray box is an intermediate form, where we have credentials to log in, often for various roles (e.g.: user, supervisor, administrator). This is hugely important if the application or device in question contains any sensitive data, such as medical, financial or other data that should only be available to certain users or roles. “Can a user access the data of another user?”, is a question we can only answer adequately with a gray box test. This type of test is the most common for our clients. Black box testing is usually also a part of gray box testing, so that you will be able to differentiate between vulnerabilities that are available to external attackers, and vulnerabilities that can be exploited by authenticated users only.

Crystal Box Test

In a crystal box test, we have the source code (or full configuration information of infrastructure components) while performing gray box testing. This test is also known as a white box test. While we normally will not perform a full source code review during a vulnerability or penetration test, we do use the source code to identify vulnerabilities in security functions. Especially vulnerabilities in input validation, cryptographic handling and authorization models can be found much more efficiently this way. Having access to the source code or detailed configuration information during a test allows us to answer the question: “How well is my data really protected?”.

Common Combinations of Boxes

Keep in mind though, that the distinction between black, gray and crystal box testing is not a strict one, mixing forms is possible. For instance, a common combination when testing web application security is to perform black box testing on the infrastructure, and gray box testing on the application itself.

Another common black box penetration test is a pentest of the internal network (plug in and see how far you can get). In such an internal penetration test we have no information upfront and we try to get access to all the data via exploiting vulnerabilities (usually by gaining domain administrator rights during that process).