White-box testing is a method of testing software that tests internal structures or workings of an application as opposed to its functionality i.e. black-box testing.
Questions tagged [whitebox]
11 questions
22
votes
3 answers
White-box vs. Black-box
What are the relative advantages and disadvantages of each form of testing?
I.e. What is the difference between static code analysis and runtime/dynamic penetration testing?
What are the pros and cons of each? Are there situations where one is…
AviD
- 72,138
- 22
- 136
- 218
16
votes
3 answers
Getting a manual security code review done - What to watch out for?
We have a PHP application that we want to get code reviewed from an external security consultant, but I'm not clear on "how to" go about that process.
We did specify what kind of tests he should be doing, and the first part of his submitted report…
matt74tm
16
votes
2 answers
Secure big, old ecommerce website from XSS?
I'm working for an ecommerce website written in C#.net (no CMS used, quite a lot of code) where security hasn't been a priority for a long time. My mission right now is to find and fix any XSS breaches. There is a lot of non-filtered data written…
kyori
- 215
- 2
- 7
5
votes
4 answers
Effectiveness of Interactive Application Security Testing
There are a number of IAST tools available on the market such as Acunetix Web Vulnerability Scanner and HP WebInspect Real-Time.
How effective are these at finding vulnerabilities? Is there any evidence that these can find more or less than a black…
SilverlightFox
- 33,408
- 6
- 67
- 178
3
votes
1 answer
Test suite for a white-box fuzzer
I have created a white-box fuzzer by extending the Crest.
Now, I'm looking for a test suite (a set of c programs with known vulnerabilities) to test the functionality of my tool.
where i can find such benchmarks?
mrd abd
- 141
- 2
2
votes
2 answers
Pentesting - best bang for your buck? (credentialed versus non-credentialed)
My day to day activities consist primarily of penetration testing (white/grey/black). Throughout my engagements, I try to educate my clients on the differences of testing types. E.g., credentialed test from an internal perspective (low level user)…
munkeyoto
- 8,682
- 16
- 31
1
vote
1 answer
How to protect integrity of resource files in a white-box attack context?
In a white-box attack context (e.g. PC, tablet, smartphone), there is no trusted entity, which can be used to guarantee some reasonable security. TPM is not considered a solution because it is not available on all platforms and is also disabled by…
Benny
- 135
- 6
1
vote
1 answer
How secure is the CDM design?
A followup to How secure will EME be?
What I don't understand is how the CDM prevents key leakage. Is it not enough to "simply"[*] inspect the browser's memory and derive keys?
In other words - given two options, which would be more secure, or are…
davidkomer
- 521
- 4
- 9
0
votes
1 answer
How to bypass the following PHP function
I need to write PHP code in an application in which I have access to the code, because it is a white box.
However, I noticed that they use the following function:
function stripbadchars($str_chain){
$bad_chars =…
pignitulto
- 31
- 5
0
votes
2 answers
Source Code analysis tools available?
In the near future I have to check the source code of a web application on security vulnerabilities. The web application mainly consists of PHP files and contains more than 300 files.
Do you know programs that can help me with the security analysis…
Bowmann
- 57
- 3
-1
votes
1 answer
White-box webpage testers
I wrote a webPage and i want to localy scan all files in search of somes common vulnerabilities.
I searched on the internet a lot and i can't find white-box tools as I thought.
Instead of this, there are many black-box tools.
Maybe do you know some,…
Patryk Janik
- 103
- 1