Learning Resources
 

Hacking using white box testing is usually used for penetration testing

White-box fuzzing or smart fuzzing is a systematic methodology that is used to find buffer overruns (remote code execution); unhandled exceptions, read access violations (AVs), and thread hangs (permanent denial-of-service); leaks and memory spikes (temporary denial-of-service); and so forth.

You can perform fuzzing on any code that parses input that is received across a trust boundary. This includes files, network sockets, pipes, remote procedure call (RPC) interfaces, driver IOCTLs, ActiveX objects, and message queues (including Microsoft Windows messages).

This article presents a case study of fuzzing during development of Microsoft Internet Security and Acceleration (ISA) Server 2006, and discusses efforts, bug density, and ROI. During this release, the internal testing team found over 30 bugs that were either Important or Critical—according to Microsoft Security Response Center (MSRC) ranking—in over 500 KLOC parsing code.

White box testing can allow a Penetration Tester to thoroughly assess the security logic implemented within the application itself. For instance – consider the following web application.

Both Fred and Susan are standard users. When Fred logs in, he should be able to see his data and not Susan’s data. Likewise, when Susan logs in, she should be able to see her data and not Fred’s data.