Blind Spots: An Introduction to Black Box Testing in Penetration Testing

/ Penetration Testing / By

If you want to do penetration testing that is more realistic, then you might want to use black box testing method. With this method you will be able simulate the attack using the attacker’s POV which makes it more real.

Black Box Testing

What Is Black Box Testing Method?

The black box testing is a method to test system which done without having any prior knowledge about the system internal structure, internal data, the code used as well as its implementation details. The only information that given to the penetration tester are the URL of the target and sometimes access that is similar to access that is given to end-user.

Thus, this test can be done by anyone which are not part of the system developer team. Furthermore, the tester familiarity with the code will not affect on how well the code test is. 

The goal of this test is to find any weakness which can be used by attackers to breach the network. The penetration tester will focus their attention on the inputs that they put into the system as well as the outputs that the system give to them. 

Benefits That You Can Get from This Penetration Test Method

  • This method will test the system in truer sense like a real hacker
  • This penetration test can help to find vulnerabilities inside the application and network
  • Since the test is done in run time this means that the test can also help detecting configuration and implementation issue 
  • This test can help detecting product builds that are incorrect such as missing files, missing modules or old version
  • This black box testing test can help detection of security issue which relates to people when the penetration tester also uses social engineering attack in their process.
  • This test can help detection of security issue which comes from environment interaction with vulnerabilities such as unhardened OS, improper configure file, application and many other.
  • This test can help detection of issues such as information disclosure inside error message, output or input validation errors and many other.
  • This test method can be cheaper in cost compared to the other penetration test methods such as white box test or gray box test.

The Drawbacks That This Penetration Test Method Have

This penetration test actually important component especially for security testing on application. But you should not use this penetration test to replace comprehensive review on the source code as well as the internal system.

The reason is this penetration test method will not include internal testing in the process. This means that the system may appear as if it is secure if the penetration tester cannot find vulnerabilities when testing the external component. 

The vulnerabilities which identified in this test is actually only able to indicate that the system has a weakness in its security build. Thus, this black box testing cannot highlight important vulnerabilities that is hidden inside the system.

However, the application may actually have a lot of vulnerabilities outside the external component. This is why you still need to perform a separate internal testing to make sure whether the system is actually secure from the inside out or not. 

Technique Used to Do the Black Box Penetration Test

Syntax testing

This technique is done by testing the format used to input data in the system. Usually the penetration tester will add input with missing elements, misplaced input, contains illegal delimiters, garbage input and so on. Then they will see the outcome that happen when the input deviate away from the original syntax used in the system.

Full port scan

This technique is done to identify any open port which might be exposed or port that can lead to various information that can be used to find other exploitation vectors or vulnerabilities. Usually the scanning will be done to all TCP ports and some of the popular UDP ports.

Fuzzing

This black box testing technique is done to the web interfaces to find input checks that are missing. The method used is injecting well-crafter or random data into the system. That is why, this technique also often called as noise injection.

The goal of this penetration test is to identify any unusual behavior that the program does after being attacked with noise injection. If this attack is success this means that the software did not properly checked which may result in vulnerabilities that can be further exploit by attacker. 

Vulnerability scanning

This technique is done by testing the IP address that going to be tested using vulnerability scanning tool. This scanning tools will go through the targeted system using known vulnerabilities that already collected in the tools database. By doing this technique penetration tester can see if the target has any of the known vulnerabilities.

It is important to note that a lot of the vulnerabilities that are found using the vulnerability scanning tools can come as false positive. That is why the penetration tester will need to do manual confirmation to verify whether the vulnerability is true or not. Still, the vulnerabilities that are detected using the vulnerabilities scanning tools can be the initial source that the penetration tester can look further into.

Program behavior monitoring

This technique is done so the penetration tester can understand the responds given by the program they want to test. The tester might also find unspecified symptoms which can be indication of hidden vulnerabilities. The test process can also be automated using tools so penetration tester does not have to check anomaly in the program behavior manually. 

Data analysis

This technique is done by reviewing data that is taken from the target application. By using this technique, the penetration tester will be able to understand how the target function internally. 

Information Gathering using open intelligence

This technique is done so the penetration tester can make better mapping of the targeted system they will be working on. The penetration tester will use public resource in collecting as many data as possible related to the network, system and the application that they will test. That way, they can gain some inside about the target that they going to work on.

Exploratory test

This black box testing technique is done without having any test planning before the test or without any expectation on the specific outcome wanted from the test. The reason is because they want to let the anomalies or the outcomes of the test to guide how the test work. This technique is very important in penetration testing especially since you may find a big outcome that can help shaping the way the test work.

Password attack

This technique is done to find password vulnerabilities in the system. Especially since using brute force to attack the login form is an attack vector that commonly used by malicious attackers. 

The penetration tester will use a set of common passwords or password scanning tools that will automatically test the system to try and get access into it. There are various methods that can be used on this technique but all is done with the same goal which is to test if there are any account in the system that uses weak password.

Test scaffolding

This technique is done by using tools to automate the test. By using this technique, the penetration tester will be able to find critical behavior in the program that they test which cannot be found using manual testing. Usually the tools used in the test will also include performance monitoring, management tool test, and debugging. 

Read More What Is Pentest (Penetration Testing)?

How to Do Black Box Penetration Test Step by Step

  • Reconnaissance
    First thing that the penetration tester will do is to gather preliminary information since they would not have any prior information about the target system at all in this black box testing. During this step penetration tester will gather some intel about employee information, email addresses, websites, IP addresses, pain points that they can expose and many other. 
  • Scanning and enumeration
    In this step the penetration tester will go even deeper than the previous step to find more detailed information on the target. Some of the information that they gather during this step such as user accounts, OS used, user roles, connected system, software used, versions, and many other. 
  • Finding vulnerabilities
    Once penetration tester gathered various information from the previous two steps now, they can try to find vulnerabilities inside the network and system that they target. They will also use vulnerabilities found on the 3rd party application, system, and version that the target use.
  • Exploitation
    After the vulnerabilities are identified on the previous steps now it is time for the penetration tester to exploit them and create malicious request on the system. The penetration tester will try to get into the core of the system using the fastest route that they can find.
  • Privilege escalation
    Once the penetration tester can break inside the system, they will then escalate the access level that they get to completely take over the system as well as the database. 

Conclusion

As you can see, the black box testing can help you to find vulnerabilities in the network and system. This testing method is more real since the penetration tester does not have initial information about the system. 

This means that the penetration tester has to dig deeper to find information that they need which can lead them to find big vulnerabilities that can be missed if the test is done using other method. 

Tags: black box testing, black box testing method, black box testing benefit, black box testing technique, black box testing guide,

Talk to Paireds

Cloud & Security Compliance Automations

Paireds helps companies automate cloud and security compliance with speed and ease – starts with ISO27001

Let’s talk

%d bloggers like this: