nerdexam
EC-Council

312-50V10 · Question #892

The "Gray-box testing" methodology enforces what kind of restriction?

The correct answer is B. The internal operation of a system in only partly accessible to the tester.. Gray-box testing restricts the tester to only partial knowledge of a system's internal operations, placing it between black-box (zero knowledge) and white-box (full knowledge) methodologies.

Information Security and Ethical Hacking Fundamentals

Question

The "Gray-box testing" methodology enforces what kind of restriction?

Options

  • AOnly the external operation of a system is accessible to the tester.
  • BThe internal operation of a system in only partly accessible to the tester.
  • COnly the internal operation of a system is known to the tester.
  • DThe internal operation of a system is completely known to the tester.

How the community answered

(38 responses)
  • A
    3% (1)
  • B
    92% (35)
  • C
    5% (2)

Why each option

Gray-box testing restricts the tester to only partial knowledge of a system's internal operations, placing it between black-box (zero knowledge) and white-box (full knowledge) methodologies.

AOnly the external operation of a system is accessible to the tester.

Only accessing the external operation of a system with no internal knowledge is the definition of black-box testing, not gray-box testing.

BThe internal operation of a system in only partly accessible to the tester.Correct

Gray-box testing grants the tester limited, partial access to or knowledge of a system's internal workings - such as some architectural diagrams or partial source code - without full visibility. This partial restriction defines the methodology and simulates realistic attack scenarios where a threat actor has some insider knowledge, making it more targeted than black-box testing while still retaining an element of uncertainty about the full internal design.

COnly the internal operation of a system is known to the tester.

Having knowledge of only the internal operation while being unaware of external system behavior does not correspond to any recognized penetration testing methodology.

DThe internal operation of a system is completely known to the tester.

Complete and full knowledge of a system's internal operation describes white-box testing (also called crystal-box or clear-box testing), not gray-box testing.

Concept tested: Gray-box penetration testing methodology and tester knowledge restriction

Source: https://owasp.org/www-project-web-security-testing-guide/

Topics

#gray-box testing#penetration testing methodologies#security testing#black-box vs white-box

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice