312-50V10 · Question #892
The "Gray-box testing" methodology enforces what kind of restriction?
The correct answer is B. The internal operation of a system in only partly accessible to the tester.. Gray-box testing restricts the tester to only partial knowledge of a system's internal operations, placing it between black-box (zero knowledge) and white-box (full knowledge) methodologies.
Question
The "Gray-box testing" methodology enforces what kind of restriction?
Options
- AOnly the external operation of a system is accessible to the tester.
- BThe internal operation of a system in only partly accessible to the tester.
- COnly the internal operation of a system is known to the tester.
- DThe internal operation of a system is completely known to the tester.
How the community answered
(38 responses)- A3% (1)
- B92% (35)
- C5% (2)
Why each option
Gray-box testing restricts the tester to only partial knowledge of a system's internal operations, placing it between black-box (zero knowledge) and white-box (full knowledge) methodologies.
Only accessing the external operation of a system with no internal knowledge is the definition of black-box testing, not gray-box testing.
Gray-box testing grants the tester limited, partial access to or knowledge of a system's internal workings - such as some architectural diagrams or partial source code - without full visibility. This partial restriction defines the methodology and simulates realistic attack scenarios where a threat actor has some insider knowledge, making it more targeted than black-box testing while still retaining an element of uncertainty about the full internal design.
Having knowledge of only the internal operation while being unaware of external system behavior does not correspond to any recognized penetration testing methodology.
Complete and full knowledge of a system's internal operation describes white-box testing (also called crystal-box or clear-box testing), not gray-box testing.
Concept tested: Gray-box penetration testing methodology and tester knowledge restriction
Source: https://owasp.org/www-project-web-security-testing-guide/
Topics
Community Discussion
No community discussion yet for this question.