A penetration tester’s objective is to uncover vulnerabilities in a client system and determine how to exploit them. With web application pentesting, this doesn’t always mean cracking a system from the outside. Sometimes, the best way to discover how to break in is to start from the inside.
What is white box testing for web applications?
In a traditional web application penetration test, the tester might spend a couple of weeks working to access the client’s systems with no previous knowledge: the black box approach. While black box testing has its place, it usually only manages to scratch the surface. This is particularly true with the limits often imposed by time and scope.
White box web application pentesting offers a different approach. For a comprehensive web app pentest, assessing the source code provides opportunities to go deeper. Many of the more dangerous bugs and vulnerabilities discovered in the field aren’t simple syntax errors or other traditional vulnerabilities. They’re the result of creatively chaining vulnerabilities together into an attack.
A white box testing approach has a greater chance of uncovering these smaller vulnerabilities within the limits of an engagement.
The benefits of white box penetration testing
In addition to traditional vulnerabilities, using a white box testing approach enables the penetration tester to find logical bugs – vulnerabilities in the logic flow of the application. Attacking from the outside won’t reveal most of these opportunities. Nor will automated tools.
Another benefit is working with the client to secure an app while it’s still in development, rather than after it has already been released. To truly achieve security by design, a web app security assessment must be conducted during development.
As the code is iterated upon in the development process, changes in one location can create vulnerabilities in other locations. A pentester – or a security-minded web developer – trained in a white box approach can identify those vulnerabilities.
Conducting a white box security assessment means that you are able to show your work: how the bug or vulnerability was discovered and how the logic issues can be fixed. The client’s development team will gain a greater understanding not only of the current problem, but also what they should look out for in future projects. Demonstrating both the path and the mindset required to discover it adds value to the engagement.
As stated, black box testing has its place. The source code may not be available for review, or the client may be reluctant to share it. Penetration testers should know how to do an intelligent black box assessment, but at OffSec, we’ve simply found the white box approach delivers greater value in a security assessment.
Learning white box methods
Can you read source code? That’s a start to learning white box web app security methods. Our WEB-300 course focuses on white box web app security skills and techniques. The course focuses on analyzing source code, finding bugs, and exploiting them.
Web professionals, including software engineers and full stack web developers, will likely find some of the prerequisites familiar. To take WEB-300, you should be familiar with coding languages (such as Java, .NET, JavaScript, and Python) and able to write simple Python, Perl, PHP, or Bash scripts.
Other prerequisites lean more toward information technology roles. You’ll need to be familiar with several aspects of Linux administration, like file permissions, navigation, editing, and running scripts. Experience with web proxies, such as Burp Suite, will help. Finally, a general understanding of web app attack vectors, theory, and practice will provide context.
In WEB-300, you’ll learn how to do thorough source code reviews, then use lateral thinking to determine creative ways of exploiting vulnerabilities, including the logical vulnerabilities we described above.
More reading
Not ready to take a course yet? Read more:
- Understanding the Fundamentals of Web Application Security
- Analyzing a Creative Attack Chain Used to Compromise a Web Application
- Learn about other information security training paths and how AWAE fits
Or, find out what other students have to say about AWAE in these reviews:
Free Download: Web Application Security guide