White Box Penetration Testing

As part of a White box Penetration Testing engagement, Nettitude is given information about the infrastructure that is to be tested. This might include network diagrams and schematics that detail the topology, information stores and security devices. Similarly it could include usernames and passwords, required to access VPN accounts and web services delivered externally to Internet facing users.

It is important for organisations to identify where their Risk and Threat emanates from. If they perceive it comes from employees, customers or trading partners it may be beneficial to conduct a White box Penetration Test. Employees, Customers and Trading Partners have knowledge about your Information Assets. They may know that you have an Intranet or Extranet site, and they may also have credentials that allow them to log in to them. They may know employees who work within the organisation, the management structure, applications that runs within the environment, as well as the organisations overall approach to risk, threat and Information Security as a whole. All of this information can be used to launch more targeted attacks against an infrastructure, which may not be identified as part of a Black Box testing engagement.

In environments where users require credentials to access Web Applications, Nettitude frequently recommends running a White box Penetration Testing exercise. Many aspects of a web infrastructure can only be accessed once logged in, and as a consequence it is prudent to conduct these types of tests as an authenticated user.

White box testing can allow a Penetration Tester to thoroughly assess the security logic implemented within the application itself. For instance – consider the following web application.

Both Fred and Susan are standard users. When Fred logs in, he should be able to see his data and not Susan’s data. Likewise, when Susan logs in, she should be able to see her data and not Fred’s data. By providing Nettitude with 2 sets of users accounts, (both with the same privilege level) it is possible to assess the application's access controls that partition one users data from another's.

Many web applications have multiple privilege levels. For instance, Administrators may be able to login to the site and perform administrative or system level maintenance on the web application. Nettitude recommends that clients pursuing White box testing provide them with an Administrator login (as well as the 2 standard user logins). Once Nettitude has enumerated what an Administrator can do, our team of Penetration Testers will try and escalate privileges from standard user accounts to those of an administrator, or alternative access functions and calls that should be associated with those higher privileged accounts only.

Nettitude's Penetration Testing services are 100% tailored to our customers' needs and requirements. To find out more about Nettitude's White box Penetration Testing service, please complete our contact form, and a security consultant will respond to your enquiry.

Live Chats

QUOTE REQUEST

Name:

Organizations:

Email:

Telephone:

We will provide you with testimonials, sample reports, methodology and a proposal, once we have understood your requirements.

Contact Nettitude Today

Phone: +44 (0)845 52 000 85 E-mail: