The next step up from black-box testing is grey-box testing. If a black-box tester is examining a system from an outsider’s perspective, a grey-box tester has the access and knowledge levels of a user, potentially with elevated privileges on a system. Grey-box pen-testers typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.
WHY PERFORM GREY-BOX TESTING?
The purpose of grey-box pen-testing is to provide a more focused and efficient assessment of a network’s security than a black-box assessment. Using the design documentation for a network, pen-testers can focus their assessment efforts on the systems with the greatest risk and value from the start, rather than spending time determining this information on their own. An internal account on the system also allows testing of security inside the hardened perimeter and simulates an attacker with longer-term access to the network.
Offers combined benefits of black-box and white-box.
Grey box testers don’t rely on the source code; instead, they rely on interface definition and functional specifications.
Tests will be done from an attackers point of view to identify any risks on the scope tested.
Based on the limited information available, a grey-box tester can design excellent test scenarios, especially around communication protocols and data type handling.