What information must be provided in advance for a pentest?

Specific application information is needed to ensure smooth execution of the security tests. To properly prepare and start a test, the following information is required per test type:

Black-box pentest

In the black-box test, nothing (or only a small part) of the environment and operation is known to the tester.

  • URLs of the application's acceptance and production environment.

Grey-box pentest

The tester has some prior knowledge of the environment, login credentials are provided, but no full administrative or management powers.

  • URLs of the application's acceptance and production environment.
  • Test accounts for the application (at least 2 accounts for each system-/user role).
  • User documentation / background information regarding the web application and any links and customized modules.

White-box pentest

Also called a Glass-box test or Crystal-box test. The tester in question has prior knowledge, login credentials and administrative or management rights in advance.

  • URLs of the application's acceptance and production environment.
  • Test- and admin accounts for the application (at least 2 accounts for each system-/user role).
  • Access to the acceptance environment with SSH (or else with FTP), with minimal reading- and writing permissions on all files of the web application (is not obligated, but will lead to the most accurate results and findings).
  • Complete documentation.
  • Access to the source code of the application.
  • API (if it is in scope): a Postman collection with valid requests (overview of endpoints), see https://www.getpostman.com/.