Understanding Penetration Testing Types and Categories

This article covers different types of penetration testing and the categories they fall into. The penetration testing types include network testing, web app testing, mobile app testing, and more.

What is Penetration Testing?

Penetration testing is ethical hacking performed on a computer system, network, or web application to find security vulnerabilities. These vulnerabilities could be exploited by malicious hackers.

Penetration testing is performed by ethical (white hat) hackers with the explicit permission of the organization. It helps to overcome potential threats to the organization’s network and ensure data privacy. Moreover, it helps protect systems from malicious (black hat) hackers.

Different Categories of Penetration Testing

Penetration tests can be categorized based on their functionality and coverage of the software, system, or network under test. The categories of penetration testing are:

• Black Box
• White Box
• Gray Box

These depend on the organization’s test plans and security test cases.

Black Box

In this penetration test, only IP address ranges are provided to the tester. Other parameters, such as the target operating system, server version, or specific target details, are not provided.

For example, in a web app penetration test, the source code of the web app is not provided to the tester.

White Box

This test goes beyond the black box test. In white box testing, all the information about the actual target is available for testing.

For example, in a network test, all the information such as the operating system, version, and running applications are provided to the tester. In web app penetration testing, the source code is provided. This is very useful as organizations are mainly concerned about leakage of information.

Gray Box

As this is a combination of both black box and white box testing, some information is available to the tester, whereas some is hidden.

For example, in a network test, the organization provides running application names behind an IP address. At the same time, it does not disclose the version of the running services. In web app penetration testing, some extra information (e.g., back-end server, databases, test accounts) are provided.

Different Types of Penetration Testing

There are many types of penetration tests. The following are the most common types, as shown in the figure above. Let us understand these different types of penetration testing performed to evaluate the security robustness of an organization’s network or system.

Network Penetration Test

In this test, the tester examines the network environment for potential security threats or vulnerabilities. This can be categorized into two types: external and internal.

• In an external test, the tester tests public IP addresses.
• In an internal test, the tester becomes part of the internal network and tests it. In this testing, the organization provides physical access as well as VPN access to the tester.

Web Application Penetration Test

Nowadays, web applications host and collect critical customer data, such as credit or debit card numbers, usernames/passwords, and so on. Hence, it is essential to perform web app penetration testing.

Mobile Application Penetration Test

This test has also become very essential today. This is due to the fact that organizations are developing and providing access to their customers through mobile apps on Android and iOS mobile phones. This test ensures that mobile apps are secure enough to protect the personal information of their clients while using mobile apps.

Social Engineering Penetration Test

This test verifies the adherence of employees to security policies/practices defined by the management of their organization. An example of such a test is phishing. In this test, the tester purposely sends out an email asking employees to open an unexpected attachment or requests to provide sensitive information or to visit an unapproved website. This test is used to verify the vulnerability of employees.

Physical Penetration Test

In this test, testers will be asked by the organization to physically perform tests on their security controls such as locks and RFID/NFC or other scanning mechanisms.