Khartoum: +249 (0)123 101702    [email protected]

Home ⤏ GREY-BOX TESTING

         ‘    

Box-Testing


What is Grey Box testing?

Using automatic and manual tools aimed to audit a full, comprehensive Black Box test, the auditor has another tool which is accessing the system’s internal structures and code. Grey Box is a Black Box test, whereby an auditor simulates a real, skilled attacker, combined with a White Box test, where a highly experienced auditor tests for insecure code which can put the application in jeopardy.

A Grey Box test provides a full system inspection, from both the developer’s perspective and a real malicious hacker’s perspective. It provides full coverage of a wide variety of vulnerabilities and enumerating all potential risks to a given system.

Vulnerabilities Covered

Gray Box test provides a full, comprehensive test which results in a hybrid between finding vulnerabilities which are relevant for both White Box test and a Black Box test. The testing methodology is OWASP, which cover wide-range of application security vulnerabilities. Some of the covered vulnerabilities:

  • SQL Injection – taking control over the database
  • Hidden Backdoors – used by attackers to easily infiltrate the system over and over
  • Cross-Site Scripting (XSS) – injecting malicious code into innocent user’s browsers
  • Cross-Site Request Forgery (CSRF) – impersonating an innocent user and performing actions in his name
  • Bypassing Authentication – taking over users and administrators accounts
  • Authorization Breaches – performing unauthorized actions and accessing unauthorized information
  • Bypassing Crypto – viewing of confidential and private info by unauthorized people
  • Open Redirects – an open door to phishing attacks and scams
  • Command Injection – injecting commands to a remote server and taking over
  • Forceful Browsing – bypassing restrictions and perfoming unauthorized actions
  • Bypassing Business-Logic Restrictions – performing application-specific actions that are not authorized by the company’s regulations
  • LFI/RFI – injecting malicious code to a vulnerable application
  • Denial of Service – making the application unavailable to remote users