Types of Penetration Testing: White Box, Black Box, & More

In a penetration test, skilled professionals identify vulnerabilities in a target system and then attempt to exploit them, in a simulated attack on the network. Penetration testing comes in many forms, depending on the methods, scope, and goals of the test.

In white box penetration testing, the penetration tester starts with broad access to, and knowledge of, the system being tested. In black box testing, on the other hand, the pen tester starts with no access or knowledge, just as a real-world hacker would. In between lies gray box pen testing, in which the tester starts with limited information.

Penetration testing also varies depending on what specifically is being tested; additional types include network pen testing, physical pen testing, and more. First, let’s dig into white box, black box, and gray box pen testing.

White Box Penetration Testing

In a white box penetration test, the pen testers start with broad knowledge and access to the system being tested, allowing them to conduct a comprehensive audit. This high level of starting access enables them to audit source code, for instance, testing vulnerabilities a black box pen tester might never uncover.

Because they start with access, white box pen tests don’t simulate real cyberattacks quite as closely as the alternatives. Just as in any pen test, white box testers will still attempt to exploit the vulnerabilities they identify. Their starting point, however, is very different from that of an external threat.

Black Box Penetration Testing

In a black box penetration test, the pen testers start with minimal information or access to the system being tested. Black box pen testers have to break into the system from the outside, just like a real attacker would.

This approach is generally less comprehensive than white box pen testing, though it often brings a sharper focus to bear on perimeter security. Black box pen testers have to break in before they can test the system on the inside, and they’ll often put the better part of their efforts into breaching the perimeter. They might try tactics, such as phishing a company’s employees, that a white box pen tester would never resort to.

There’s a degree of trial-and-error to any pen test, but especially so when it comes to black box testing. Starting from square zero, highly skilled pen testers must try out different approaches and adjust their techniques based on what they learn along the way.

Gray Box Penetration Testing

In a gray box penetration test, the pen testers start with limited access. This approach simulates an insider threat, or a long-term threat who has already gained entry to the system. Starting with low level credentials, gray box pen testers will try to escalate their privileges, elevating their level of access beyond their starting point.

Gray box pen tests are less reliant on trial-and-error than black box tests, and they simulate real attackers more closely than a white box pen test.

White Box vs Black Box vs Gray Box Pen Testing

White box penetration testing is the most thorough of these methods, especially when it comes to internal security. Complete access enables white box pen testers to scour the system in detail, even auditing code to check software for vulnerabilities. But that thoroughness often comes with a price tag to match, and in any case, white box pen testing doesn’t simulate an actual cyberattack as closely as its counterparts would.

Black box penetration testing closely simulates an actual attack from an external threat. Because testers start on the outside and have to break in on their own, black box testing focuses heavily on perimeter security. It often runs less expensive than white box pen testing, though it’s typically less thorough.

Gray box pen testing strikes a balance: it’s more efficient than black box testing, but not quite as thorough as white box testing. Because gray box pen testers start with more information than black box testers, they can more quickly hone in on vulnerable areas within a system.

Penetration tests also vary based on what kind of system is being tested. Many of the following types of penetration testing can be undertaken hand-in-hand with the broad approaches outlined above.

Network Penetration Testing

In a network penetration test, the testers identify – and attempt to exploit – security vulnerabilities in a company’s network. These testers often focus on the network infrastructure, targeting components such as firewalls, hosts, workstations, printers, routers, and switches. By auditing for vulnerabilities, network pen testing helps companies protect themselves against common network-based attacks, such as man-in-the-middle or IPS/IDS evasion attacks.

External vs Internal Penetration Testing

Network testing comes in two broad forms. External pen testing, aligned with black box testing, focuses on the network perimeter. The pen testers start on the outside and have to break past controls such as firewalls to gain entry to the network.

In an internal network pen test, the pen testers start within the network. Similar to a gray box pen test, they mimic an insider threat or a long-term threat that has gained basic access to the network.

Wireless Penetration Testing

Wireless penetration testing is a subset of network pen testing that focuses on the organization’s wireless local area network (WLAN), along with other wireless protocols, such as Bluetooth. The pen testers will search for vulnerabilities involving encryption, rogue access points, or WPA protocols. Wireless pen testing also audits wireless devices, such as keyboards, mice, and printers.

Web App Penetration Testing

Web app penetration testing focuses on web-based applications, such as Google Drive or Spotify. The pen testers will examine everything from code to infrastructure, such as DNS servers. This approach also covers web browsers and browser components, such as plugins or applets.

Client-Side Penetration Testing

Client-side pen testing focuses on client-side applications, meaning the software installed directly on a computer or server. The pen testers will search for vulnerabilities used in cross-site scripting, clickjacking, HTML injection, form hijacking, and open redirection, with the ultimate goal of helping companies protect against these types of client-side attacks.

Mobile App Penetration Testing

Mobile app penetration testing focuses on applications for iOS and Android. The testers will vet for issues pertaining to authentication, data storage, API access, and anything else an attacker might exploit. If your business offers a mobile app, this type of pen testing will vet it for any issues that could imperil your users.

Physical Penetration Testing

Where most forms of pen testing focus on cybersecurity, physical penetration tests focus on physical environments and hardware. It includes methods such as dumpster diving, lockpicking, on-the-ground surveillance, tailgating, and even breaking down doors to gain entry.

Social Engineering Penetration Testing

A social engineering penetration test focuses on social engineering tactics, such as phishing, tailgating, and impersonation. These tactics are incredibly common – by one estimate, 98% of cyberattacks involve some form of social engineering – so it makes sense to vet your organization against these types of attacks.

PCI Penetration Testing

PCI penetration testing adheres to the requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS) to ensure the protection of cardholder data. The goal is to ensure compliance with the standards outlined by the Payment Card Industry Security Standards Council (PCI-SSC), allowing organizations to assess their attack risk and identify vulnerabilities or non-compliance issues that require correction.

Manual vs Automated Penetration Testing

When we talk about penetration testing, we usually mean manual penetration testing: a team of human experts approaches a system and attempts to identify and exploit security vulnerabilities. These testers often rely on automated tools, such as network vulnerability scanners, but they manually plan and conduct tests as a key part of their process.

Automated penetration testing leans more heavily on automated tools, often in lieu of hands-on testing. It’s not as rigorous as a manual pen test, and it doesn’t simulate a real-world attack as closely. It’s also not quite as accurate, and might result in false negatives and false positives. For these reasons, many compliance standards, such as PCI DSS, require manual pen testing.

But automated pen testing also comes with very real benefits. It’s typically faster and considerably cheaper, which makes it feasible for companies to conduct automated pen testing year-round. Both types have their benefits, and for many the best approach will be a combination of automated and manual pen testing methods.

For more information, see our full comparison of automated scanning vs manual penetration testing.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.