List of attacks and tests performed during penetration testing
What is Gray Box testing?
Using automatic and manual tools aimed to audit a full, comprehensive Black Box test, the auditor has another tool which is accessing the system’s internal structures and code. Gray Box is a Black Box test, whereby an auditor simulates a real, skilled attacker, combined with a White Box test, where a highly experienced auditor tests for insecure code which can put the application in jeopardy.
A Gray Box test provides a full system inspection, from both the developer’s perspective and a real malicious hacker’s perspective. It provides full coverage of a wide variety of vulnerabilities and enumerating all potential risks to a given system.
Gray Box test provides a full, comprehensive test which results in a hybrid between finding vulnerabilities which are relevant for both White Box test and a Black Box test. The testing methodologies are OWASP and WASC methodologies which cover wide-range of application security vulnerabilities. Some of the covered vulnerabilities:
- SQL Injection – taking control over the database
- Hidden Backdoors – used by attackers to easily infiltrate the system over and over
- Cross-Site Scripting (XSS) – injecting malicious code into innocent user’s browsers
- Cross-Site Request Forgery (CSRF) – impersonating an innocent user and performing actions in his name
- Bypassing Authentication – taking over users and administrators accounts
- Authorization Breaches – performing unauthorized actions and accessing unauthorized information
- Bypassing Crypto – viewing of confidential and private info by unauthorized people
- Open Redirects – an open door to phishing attacks and scams
- Command Injection – injecting commands to a remote server and taking over
- Forceful Browsing – bypassing restrictions and perfoming unauthorized actions
- Bypassing Business-Logic Restrictions – performing application-specific actions that are not authorized by the company’s regulations
- LFI/RFI – injecting malicious code to a vulnerable application
- Denial of Service – making the application unavailable to remote users