Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 43

Thread: Black box testing program

  1. #11
    Junior Member Amlord1's Avatar
    Join Date
    Nov 2008
    Posts
    78

    Default

    Quote Originally Posted by Barry View Post
    So you're purposely ignoring the rules you agreed to when you signed up for these forums?
    I don't remember that being in the rules, but again, I may be mistaken. I apologize, no one has a perfect memory.

    Quote Originally Posted by Shavx View Post
    SORRY... I see that my posting privileges have been removed...

    Quote Originally Posted by Deathray View Post
    I don't understand why people overact so much when someone spams a forum? I mean all he wants is to get an answer to his question ASAP!!! because he is the number 1 priority to the rest of the people here. What does it hurt? Besides the fact that if everyone did so forums would become a useless massive piece of crap ...... hmm egoistic? :b
    Sorry for being harsh if you are in fact new to forums. But for the future remember to follow the rules if you wish be respected and answered. That and common sense will get you a long way.
    Well, seeing as my posting provalages have already been removed, saying sorry at this point is rather counter productive. I realize that I made a dumb mistake.

    I didn't mean to be egotistical.

    Thanks...

    And to the Mods. I Re-read the rules... and Acknowledge that I messed up... Can I please have my posting privileges back?
    Originally Posted by pureh@te
    You may think its stupid but when you are posting online sometimes spelling, grammar and thought put into the content of your posts is the only thing people have to measure you by and to determine the level of seriousness they should give you. So with that in mind I'd say "Yes" its pretty important.

  2. #12
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by Amlord1 View Post
    Hello. If you have been in the BT3 forum recently you may have seen my posts, or you may have read my introduction. For those of you who didn't, I'm a software tester.

    Recently, my supervisor has been looking into Black Box testing. It looks like it's a good tool for the final steps of QA (quality assurance).
    At this point I'm questioning whether you guys really know anything about black box testing at all. Black Box Testing = No prior knowledge of the Target at all.
    Well, that's where we are right now. She was looking into Quick Test Pro, and I found another program called Smartescript, by Smartesoft. Both are very expensive, and I was thinking that it should be a simple program required to test a web app... So why are they charging thousands of dollars?
    I haven't had a lot of time to look at those products but the HP one specifically looks more like a unit testing tool than a web app testing tool. If you seriously want to test web apps I suggest something like AppScan or Hailstorm.

    I'm not a programmer, so I don't know much of anything about programming itself. However, I'm interested in learning, and this seems a reasonable place to start; correct me if I'm wrong.

    How hard do you think it would be to write a program that runs random and semi random bits of information (over intranet) through a web application (hosted on a local server), and sends feedback, or system failure information back?
    There are some open source alternatives to AppScan or Hailstorm, they're not as pretty and don't have as full a test suite but they might meet your requirements. Checkout ratproxy (from google) and w3af.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #13
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by thorin View Post
    At this point I'm questioning whether you guys really know anything about black box testing at all.

    ................
    .........
    .......
    ....
    ..
    .
    .
    The "box" in black box and white box testing refers to the system under test; the color refers to the visibility that the tester has into the inner workings of the system. With black box testing, the tester has no visibility into those inner workings. The tester sees only the interfaces exposed by the system. By contrast, white box testing offers the tester full visibility into how the system works.

    Think of a soda vending machine. A black box test would involve inserting the money into the machine and verifying that a soda drops out and that correct change is given. A white box test might involve opening the back panel on the machine and manually triggering the switch that drops the soda.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  4. #14
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Post

    Quote Originally Posted by thorin View Post
    At this point I'm questioning whether you guys really know anything about black box testing at all. Black Box Testing = No prior knowledge of the Target at all.
    Black box testing.where you simulate an attack like real hacker from outside the network and have no knowledge of anything about what is the infrastruture on DMZ,inside network.there may be 60%-80% VA and rest of PT,Depends on NDA.external pen-testing+VA.there are others too like white-box and internal testing.black box is dangerous one as it causes more loss to the internal resources in contrast to white box one.many times DoS attacks in black box causes to shut down a server completely as these all discussed in NDA already.white box testing prefers you have already internal info. about the networks and their subnets.OS running and their services,internal network structure like routers,IPS,Firewalls,Switches,HIPS etc. etc.in advance.internal testing uses social engineering where social engineering,dumpster driving is used in internal envior. to find the getting weakest link of security-the Users.untill and unless users are not awre of security threats all the testing and countermeasures are useless.

  5. #15
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by secure_it View Post
    Black box testing.where you simulate an attack like real hacker from outside the network and have no knowledge of anything about what is the infrastruture on DMZ,inside network.there may be 60%-80% VA and rest of PT,Depends on NDA.external pen-testing+VA.there are others too like white-box and internal testing.black box is dangerous one as it causes more loss to the internal resources in contrast to white box one.many times DoS attacks in black box causes to shut down a server completely as these all discussed in NDA already.white box testing prefers you have already internal info. about the networks and their subnets.OS running and their services,internal network structure like routers,IPS,Firewalls,Switches,HIPS etc. etc.in advance.internal testing uses social engineering where social engineering,dumpster driving is used in internal envior. to find the getting weakest link of security-the Users.untill and unless users are not awre of security threats all the testing and countermeasures are useless.
    .......

    There's a bit there that seems to be right but the majority seems to be misunderstood. He's looking at black boxing from a QA standpoint, not necessarily a security standpoint. From the security side of things, black-boxing is no more dangerous than alternatives; performing a black box security test simply means no relevant information is provided regarding the architecture of the system(s) among other pieces (names, access numbers, et al).

    Social engineering, dumpster diving and the like can be, and usually are, performed in all tests unless the contract states otherwise.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  6. #16
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Default

    Dangerous In case because there is no estimation of damage that can occur with such pen-testing.I told that because if we compare 2 white and black.the safest is white box.I have clearly mentioned it.

  7. #17
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default

    I understand what you mean, basically he is saying when your intruding at full force changing/deleting files etc can damage the system more than a white hatter who has no reason to delete files, exploit overflows (in a harmfull way) etc
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  8. #18
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Post

    Quote Originally Posted by killadaninja View Post
    I understand what you mean, basically he is saying when your intruding at full force changing/deleting files etc can damage the system more than a white hatter who has no reason to delete files, exploit overflows (in a harmfull way) etc
    We are not talking about the classes of hacker instead we R discussing type of VA/PT.that is not intrusion.I would like to recommend you to see some PT/VA OSSTMM manuals.

  9. #19
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by secure_it View Post
    Dangerous In case because there is no estimation of damage that can occur with such pen-testing.I told that because if we compare 2 white and black.the safest is white box.I have clearly mentioned it.
    But you are implying that a black-box approach differs in execution from a white-box approach. When testing a system I approach it the same way whether I have previous knowledge of the architecture or not. Why unnecessarily DoS in a black-box test when the same methods that work with white-boxing work in black-boxing?



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  10. #20
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Default

    Ok for the knowledge and throughout testing poin of view its good that you work ideally same in both black and white box testing without prior knowledge.I would say its best in VA but not in PT.I am not saying that do a DoS attack in black box.thing is in black box we find every and every possibilites to get into network and system.In this there are chances that without our intension we have performed DoS attack having excesssive connection with server or router or firewall or overload bandwidth consumption that is why black box testing is nearly simluating attack same as black hat hackers.if you take both white box and black box testing same then what the diference would remain in 2 methodology.I have seen many pentesters have down the network while testing in black box methodology because in that case they are not tied to any particular limitation of trying limited/less destructive approach to gaining entry or penetrating the network.that is why white box approach came in handy so you won't try every possible excessive pen-testing methods.I hope you got my point as its refering to the estimation of loss using both methodology.

Page 2 of 5 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •