What information must be provided in advance for a pentest?

Specific application information is needed to ensure smooth execution of the security tests. To properly prepare and start a test, the following information is required per test type:

Black-box pentest

In the black-box test, nothing (or only a small part) of the environment and operation is known to the tester.

  • URLs of the application's acceptance and production environment.

Grey-box pentest

The tester has some prior knowledge of the environment, login credentials are provided, but no full administrative or management powers.

  • URLs of the application's acceptance and production environment.
  • Test user(s) for the application: preferably an application-wide superuser. This way the researchers are most flexible in creating users. Otherwise, at least two users per user role.
    If multiple organizations can log in, each having their own user management and data, a superuser (who can administer all organizations) is still preferred. If it is not possible to provide a superuser, administrator accounts for at least two organizations are required. This way, it is possible to test if organization A cannot access data of organization B.
  • User documentation / background information regarding the web application and any links and customized modules.

White-box pentest

Also called a Glass-box test or Crystal-box test. The tester in question has prior knowledge, login credentials and administrative or management rights in advance.

  • URLs of the application's acceptance and production environment.
  • Test user(s) for the application: preferably an application-wide superuser. This way the researchers are most flexible in creating users. Otherwise, at least two users per user role.
    If multiple organizations can log in, each having their own user management and data, a superuser (who can administer all organizations) is still preferred. If it is not possible to provide a superuser, administrator accounts for at least two organizations are required. This way, it is possible to test if organization A cannot access data of organization B.
  • Access to the acceptance environment with SSH (or else with FTP), with minimal reading- and writing permissions on all files of the web application (is not obligated, but will lead to the most accurate results and findings).
  • Complete documentation.
  • Access to the source code of the application.
  • API (if it is in scope): a Postman collection with valid requests (overview of endpoints), see https://www.getpostman.com/.