Understanding gray box testing techniques
Testing software allows us to uncover loopholes, vulnerabilities, risks, and threats that could be exploited by malicious attackers, thus compromising the software. While there are various application security testing methods, gray-box (or grey-box) testing—also known as translucent testing—is one of the most popular.
Explaining gray box testing
What is gray box testing?
The gray-box testing method combines white-box and black-box testing techniques to check software products and applications for flaws and security vulnerabilities. It is useful for checking web-based applications and is beneficial in integration testing, penetration testing, and domain testing. Gray-box penetration testing is often performed with access to the system, allowing the tester to launch sophisticated attacks to uncover loopholes in the software.
In white-box testing, testers have knowledge of the source code and the software internals. They can thus test the application from the developer’s point of view and change the internal structure or code to fix flaws. In black-box testing, on the other hand, the user or tool has no prior knowledge of the application’s internal structure; instead, this testing method focuses on the external layers of the application (the layer an external attacker would generally have access to). In gray-box testing, the tester has partial knowledge of the application being tested.
Because gray-box testing maintains a good balance between the efficiency of black-box testing and the depth of white-box testing, it is often the testing method of choice.
Example of gray box testing
To better understand gray-box testing, consider a web application that displays a list of posts. When a user clicks a post, they are redirected to a page with further information about the post. For example, the URL structure of a page displaying post details could be www.example.com/post/title-of-the-post/12345
, where 12345 refers to the post's unique ID in the database.
With a gray-box testing approach, you may take the following steps:
Click on the post to see if it actually opens a new page.
Verify that the ID parameter in the page’s URL matches the fetched post’s ID from the database.
Verify that unprivileged users are unable to manipulate the URL parameters to access unauthorized data about the post.
Verify the integrity of the data served has not been compromised.
Using only a black-box testing approach, on the other hand, would involve:
Click on the link to verify that it opens a new page that shows more information about the article.
In this case, however, because the tester does not have access to the application’s internals, it is impossible to tell if the right post was served beyond what the user can inspect through the user interface.
The main difference between white-box and black-box testing is the depth of the tests. Using white-box testing techniques in which the tester has access to the source code allows you to verify things on a deeper level: you can view the real application code data to validate such things as logic correctness, data integrity, and much more.
Gray-box testing allows you to combine an attacker’s perspective with knowledge of the application to discover vulnerabilities.
Every technology and framework has its strengths and weaknesses. With gray-box testing, you can use this knowledge to pen-test an application and to craft sophisticated attacks targeting these weaknesses. For example, if you know the application is written in Java and uses the Java logging framework, you can test for Log4J vulnerabilities.
Capture the Flag を始める
バーチャル 101 ワークショップオンデマンドで、Capture the Flag の課題の解決方法をご覧ください。
Gray box vs. white box vs. black box: testing methods
Next, let’s discuss the key differences between the three testing techniques: white-, black-, and gray-box testing.
Testing level
The white-box testing technique allows a security tester to test an application with the highest level of knowledge about the application, whereas the black-box testing technique tests an application from an external attacker’s point of view where no information is provided. Gray-box testing, on the other hand, tests an application with partial knowledge of the application.
Tester role
White-box testing is typically performed by developers and testers who write or understand the code; black-box testing can be performed by testers who do not know the application’s internal structure or code; and gray-box testing can be performed by both developers and security testers.
Skills required
Black-box testing doesn't necessarily require knowledge of the programming language used and is less time-consuming, while white-box testing can require in-depth knowledge of the programming and technology used and takes more time. Gray-box testing, on the other hand, requires partial knowledge of the language and technology used. Thus white-box testing is more difficult than the gray-box or black-box testing methods.
Cost
When it comes to costs, black-box testing is the cheapest testing method, but it usually reveals fewer vulnerabilities. White-box testing is the most expensive, and usually uncovers more vulnerabilities. Gray-box testing falls somewhere in the middle in terms of cost and the number of vulnerabilities discovered.
Types of gray box testing
Next, let’s take a look at the various types of gray-box testing.
Matrix testing
Matrix testing allows developers and testers to determine the variables that an application uses. This technique also aids in the identification of redundant and unused variables.
Regression testing
Regression testing is a type of software development testing that is performed after changes are made to the product in order to ensure that the software is still working as planned. Software upgrades are conducted regularly; regression testing ensures these updates and changes do not create issues with other parts of the application.
Pattern testing
This test involves examining the previous software version to identify patterns that lead to defects or flaws. These flaws can be used to identify and prevent similar problems in the newer version of your application.
Orthogonal array testing
This statistical method of performance testing provides maximum code coverage with minimum test cases when testing complex applications.
What to test in gray box testing
There are a number of vital aspects to test in gray-box testing:
Internal security flaws: Test for internal security holes within an application. For example, you may test certain restricted actions that only a logged-in user with an employee or member privilege can perform.
Input flow: Test and understand how specific inputs flow through the application.
Output validation: Detect and test that the expected output is returned.
Code path: Test for broken or poorly structured code paths.
Conditional loop: Test for the behavior of a conditional loop.
Access validation: Verify that only users with the right access can perform an action. For instance, you can test an endpoint that allows only admin users to delete items from an inventory.
Gray box testing techniques
As automated testing tools and processes have matured, they have simplified the process of executing and testing applications. Tools like SAST, DAST, and IAST allow you to automatically improve code quality and integrity with little effort.
In addition to having the right tools, performing gray-box testing requires partial knowledge of and access to the source code. Without access to the application’s code, you will be limited to black-box testing alone.
Following are the steps involved in gray-box testing:
Input selection: Identify and choose inputs for both white-box and black-box testing methods.
Output identification: Identify the anticipated output from the selected inputs.
Path identification: Determine the major paths or all key paths for the testing stage. Take note of additional functions (subfunctions) in the path, as they are part of the primary testing functions for deep-level testing.
Subfunction input: Identify inputs for the chosen subfunctions.
Subfunction output: Again, identify the expected output from the selected subfunctions.
Test case execution: Verify the accuracy of your test results by running a test case for the subfunctions.
Repeat: Repeat steps 4 through 6 for the remaining subfunctions and functions.
Pros and cons of gray box testing
Gray-box testing is important for application penetration testing, as it draws on the strength of both black and white-box testing. Below are its main benefits and drawbacks.
Pros:
Offers advantages of both white-box testing and black-box testing, improving the quality of your application.
Testers do not necessarily need to be highly proficient in programming, though knowledge of the code is required.
Improves collaboration between testers and developers.
Highly effective and not very time-consuming.
Cons:
Testers may not have access to full code paths.
Designing test cases can be challenging.
Full white-box testing cannot be implemented since only a limited part of the internal structure is known to the tester.
Developer loved.Security trusted.
Snyk のデベロッパーファーストのツールは、ガバナンスとコンプライアンスのニーズを満たす統合された自動化セキュリティを提供しています。
Conclusion
Gray-box testing combines both white-box testing techniques like SAST and black-box testing methods like DAST. Black-box testing looks for vulnerabilities and defects in the code (as an external attacker would), while the white-box approach scans and looks for vulnerabilities that could be exploited in your source code.