Why we need admin logins in a gray box penetration test

Last week, I wrote why we request two logins per privilege level. Today let me explain why we also request admin privileges. After all, why should a penetration tester be given admin privileges?!

If we were doing a black box penetration test, then yes admin logins should not be provided. A black box test checks if outsiders can break in.

A gray box test goes beyond that. In a gray box test, we check if insiders can escalate their privileges. Eg. can a customer become the admin?

To test that, we login as the admin and as the customer. We study the admin’s requests to figure out how a customer might fake a similar request. We then try the fake requests to see if they succeed.

That’s why we need the admin logins.

Do we need admin logins on the OS, database and network too? No, we don’t. We just need admin rights on the web application. That’s enough to see if a remote user can escalate privileges to become an admin.

Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.

Add yours.closed for this post.