What is Gray Box testing?
Using automatic and manual tools aimed to audit a full, comprehensive Black Box test, the auditor has another tool which is accessing the system's internal structures and code. Gray Box is a Black Box test, whereby an auditor simulates a real, skilled attacker, combined with a White Box test, where a highly experienced auditor tests for insecure code which can put the application in jeopardy.
A Gray Box test provides a full system inspection, from both the developer's perspective and a real malicious hacker's perspective. It provides full coverage of a wide variety of vulnerabilities and enumerating all potential risks to a given system.
Covered vulnerabilities:
Gray Box test provides a full, comprehensive test which results in a hybrid between finding vulnerabilities which are relevant for both White Box test and a Black Box test. The testing methodologies are OWASP and WASC methodologies which cover wide-range of application security vulnerabilities. Some of the covered vulnerabilities:
 |
SQL Injection – taking control over the database |
|
Hidden Backdoors – used by attackers to easily infiltrate the system over and over |
|
Cross-site Scripting – injecting malicious code to innocent users browsers |
|
Cross Site Request Forgery – impersonating an innocent user and performing actions in his name |
|
Bypassing Authentication – taking over users and administrators accounts |
|
Authorization Breaches – doing unauthorized actions and access unauthorized information |
|
Bypassing Crypto – viewing confidential and private info by unauthorized people |
|
Open Redirects – an open door to phishing attacks and scams |
|
Command Injection – injecting commands to a remote server and taking over |
|
Forceful Browsing – bypassing restrictions and doing unauthorized actions |
|
Bypassing Business-Logic Restrictions – doing application-specific actions that are not authorized by the company's regulations |
|
LFI/RFI – injecting malicious code to a vulnerable application |
|
Denial of Service – making the application not available to remote users |
And many more other vulnerabilities that can damage your company…
