Today we live in a world with so much advancement in technologies in every sector we can think of. Newer and newer technologies, innovations are coming out almost every day making the life of human simpler and easier. Taking the most common example, a mobile phone, a person has access to almost every essential services in the tip of his/her hand, be it navigations, food delivery, banking, social media and endless other things. Every Business now pretty much requires a website, even if they are not an IT company. As businesses increase their dependence on IT, cloud services, social media etc. their cyber security risk also increases at an alarming rate.
Almost every day there is a new headline of a business getting hacked, a ransomware attack, a zero day attack etc. The way to combat is through penetration testing. Every company or a business that have their own website or mobile application must invest in cyber security for their product to avoid being victim of cybercrime.
Penetration testing can be categorized into three types: Black box, Greybox and Whitebox. Every testing have their own benefits and requirements, in testing such as greybox and whitebox the security tester is given partial or complete information about the product to be tested. Although both grey box and white box testing can help strengthen the product from inside, the organisations should also focus on the real case scenarios of how an adversary (hacker) can compromise the organization with no inside information about the product. This information can be the source code, the language in which the source code is written, firewall being used, any cloud services etc.
Black box penetration testing can be referred to as finding and exploiting vulnerabilities in a system as an outsider. The security tester is provided no information about the target except for an URL in the case of web application testing or APK/IOS file in case of a mobile application. Black box penetration testing can be considered part of Dynamic Application Security Testing (DAST) since it can only be performed on run-time application.
Small organisations such as start-ups usually do not have much budget for penetration test can opt for black box test which is cost-effective. The organisations can have their external assets such as:
2:- Web application
3:- SaaS apps
5:- Web Servers
6:- Application Servers
Tested for vulnerabilities. While black box is not an alternative to complete security test, it does help in testing the assets from a hacker’s point of view. Serious vulnerabilities like input validations, information disclosure from error messages, server misconfigurations etc. can be found from black box penetration testing.
Here are some of the advantages of black box penetration testing:
1:- It finds exposed vulnerabilities in the network or the application. For ex: Unnecessary open ports, application exposing server or framework version which is vulnerable etc.
2:- It is capable of detecting issues such as input/output validation errors, information disclosure in error messages, and so on.
3:- It is cheaper to conduct than other types of penetration testing like grey box and white box.
4:- Detects incorrect product builds (e.g. old or missing modules/files)
5:- Since it is DAST type, the pentest can be used to detect implementation and configuration issues.
The penetration test is basically like how a hacker would try to compromise the target.
There are drawbacks of black box penetration test such as:
1:- The testing conducted on the target is not thorough. The penetration testing does not include source code analysis, and also the tester is not provided any information about the target.
2:- The completion time for the whole penetration test is unpredictable. It depends on how big the scope gets during the reconnaissance phase, also the experience of the tester counts.
3:- The whole penetration test is based on guess work and trial & error.
There are many tools that can be used for a black box penetration test, they include:
3. Any popular vulnerability Scanner
4. OWASP ZAP (Zed Attack Proxy)
Fuzzing: Fuzzing can be used to test web interfaces for missing input checks. It can be done injecting random or custom crafted payload/data intended to cause error in the business logic in order to output any kind of information disclosure.
Syntax Testing: This is accomplished by including input that contains garbage, misplaced or missing elements, illegal delimiters, and so on.The goal is to determine the outcomes if the inputs deviate from the syntax.
Exploratory testing:It is testing without the use of a test strategy or the expectation of a specific result.The objective is to use the results or anomalies of one test to inform the results of another.It’s especially useful in black-box penetration testing, when a significant discovery might change the course of the entire test.
Data Analysis:It is basically reviewing of the data generated by the target application. It can be helpful to understand the target application’s internal workings.
Monitoring the program or a particular function flow behaviour:Altering the input and checking how the target application responds, this can include time delay, error messages, any particular parameter or header requirements etc.
Test Scaffolding:This is basically automating the task with tools. Some testings such as fuzzing are impossible to perform manually because of the number of test cases that have to be checked, so automation is preferred in this case.
Read More Articles:-
Application security refers to the strategies used to protect mobile applications, online apps, and APIs (Application Programming Interfaces) from hackers.…
Apps are available to help us be more practical and agile in our daily lives. However, even with security features,…
The market of Android applications is huge, and in 2022, Google Play users worldwide downloaded 111.3 billion mobile applications. There…
Several managed security service providers (MSSPs) use the network security audit as a technique or process of delivering their services…