In the approach during a pentest – or actually in the amount and details of the information base made available to the penetration tester – three variants can be distinguished: whitebox, graybox and blackbox pentesting.
The blackbox pentest corresponds pretty closely to the information base of a typical external attacker over the Internet. He only knows the company to attack, he has to gather all the other information himself. Be it IP addresses, DNS entries, programming languages used about job offers… the possibilities for information gathering are extensive, but also time-consuming. And thus increase the costs of a pentest in order to get the same result as with the whitebox or graybox approach.
The whitebox pentest is the opposite of the blackbox pentest: here a penetration tester is given all the information and data that he might need: documentation on the IT systems, information about configuration settings, network diagrams or even the source code of web applications by his client. A pentester quickly ends up in an information overload, which again costs time and money.
A good compromise between the whitebox and blackbox pentest is the graybox pentest. The penetration tester usually gets at least all the information here that simply saves him valuable time and that he would have found anyway. In addition, a client does not have to hand over all internal information and documentation. Typically, further information can also be obtained from the pentester by asking his client during the actual test, such as which database system is used by an application. In this way, he can carry out targeted attacks and identify all vulnerabilites in IT systems and IT applications as efficiently as possible.
