Gray Box Penetration Testing Services

Our Gray Box Penetration Testing Services are Used for Insider Threat Testing and Application Testing
Blue Goat tested our web application, including the API and mobile apps. They were professional and flexible. We found a lot of value in their Remediation Validation Test.
Blue Goat penetration testing review
Tony Williams

Steps to Schedule Your Gray Box Penetration Test:

1. Schedule a 30-minute Discovery Session

2. We determine IF and HOW we can help

3. We provide a Tailored Proposal

4. Together, we review the Proposal

gray box penetration testing

As ethical (white hat) hackers, we emulate an attacker by utilizing similar techniques to perform reconnaissance, identify vulnerabilities, and break into your systems. Unlike an attacker, however, we stop our test before exposing sensitive data or doing harm to your environment. With a Gray Box Penetration Test, we have “user” level knowledge about and access to a system. A Gray Box Penetration Test is typically used when you want to test an insider threat or test an application that supports multiple users. The insider threat is tested to see what damage a user (non-administrator) could do to your environment. Application testing is used to test authenticated user access to ensure a user on an application cannot access another user’s data or escalate privileges.

A Gray Box Penetration Test is commonly used in the following two scenarios:

  • Insider Threat
  • Application Testing, such as a Web Application

We are often provided user-level access to an Enterprise Windows Domain for the Insider Threat scenario. We use this authenticated, user-level access to validate and test user rights, permissions, and access. A user should only be provided what is required for them to perform their job. Many organizations do not fully understand or have documented all the access a “user” may have. For example, we have found organizations where a standard user-level account could access the network shares of everyone in the company, including the CEO. This was due to improper permissions on network shares. This is not an uncommon scenario.

For the Application Testing scenario, we typically test an application, such as a web application or custom-built application, as an authenticated user. We log on to the application as that user and then perform testing to see if we can perform any of the following:

  • Horizontal Privilege Escalation – where an authenticated user can access another user’s data. An example of horizontal privilege escalation is a bank application, where an authenticated user’s account number shows up in a URL. I’ve just performed a horizontal privilege escalation if I can change the account number in the URL to another account number and access another user’s banking information.
  • Vertical Privilege Escalation – where an authenticated user can escalate privileges to an administrator-level account. An example is a web application with a value representing the username in a hidden field that is returned after successful authentication. What would happen if we changed the value from ‘username’ to ‘root’ or ‘administrator’ and passed this back to the web application server?


Our Gray Box Application Penetration Test covers the OWASP Top 10 and all web vulnerabilities and exploits, including the following, at a minimum:
  • SQL injection (Blind, Inference, Classic, Compounded)
  • OS command injection (Informed, Blind)
  • Server-side code injection
  • Server-side template injection
  • Reflected XSS
  • Stored XSS
  • Reflected DOM issues
  • Stored DOM issues
  • File path traversal / manipulation
  • External / out-of-band interaction
  • HTTP header injection
  • XML / SOAP injection
  • LDAP injection
  • CSRF
  • Open redirection
  • Header manipulation
  • Server-level issues
Our Gray Box Application Penetration Test also covers the CWE / SANS Top 25 programming errors, including the following, as applicable:
  • Improper Restriction of Operations within the Bounds of a Memory Buffer
  • Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Improper Input Validation
  • Information Exposure
  • Out-of-bounds Read
  • Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • Use After Free
  • Integer Overflow or Wraparound
  • Cross-site Request Forgery (CSRF)
  • Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • Out-of-bounds Write
  • Improper Authentication
  • NULL Pointer Dereference
  • Incorrect Permission Assignment for Critical Resource
  • Unrestricted Upload of File with Dangerous Type
  • Improper Restriction of XML External Entity Reference
  • Improper Control of Generation of Code (‘Code Injection’)
  • Use of Hard-coded Credentials
  • Uncontrolled Resource Consumption
  • Missing Release of Resource after Effective Lifetime
  • Untrusted Search Path
  • Deserialization of Untrusted Data
  • Improper Privilege Management
  • Improper Certificate Validation


We follow a seven phase methodology designed to maximize our efficiency, minimize risk, and provide complete and accurate results. The overarching seven phases of the methodology are:

  1. Planning and Preparation
  2. Reconnaissance / Discovery
  3. Vulnerability Enumeration / Analysis
  4. Initial Exploitation
  5. Expanding Foothold / Deeper Penetration
  6. Cleanup
  7. Report Generation


We think it is better to have an ethical hacker find the holes into your enterprise than an adversary or insider. Our Penetration Testing provides details on exploitable vulnerabilities in a prioritized, tangible manner.  Our report allows you to better understand what your environment looks like from an attacker perspective.  This helps you prioritize efforts to mitigate risk to reduce breach likelihood or damage.

Not only do our Penetration Testing Services show you what your attack surface looks like to an adversary attacker, but they can be used as a safe way to test your organization’s Incident Response (IR) and digital forensics capabilities.  Our Penetration Testing services can be used to tune and test your security controls, such as your IDS, Firewall, Endpoint Security, Router ACLs, etc.

Our Gray Box Penetration Testing services also help you meet compliance audit requirements such as HIPAA, SOC 2, PCI DSS, and FISMA.


The Gray Box Penetration Test Report includes IP addresses tested, vulnerabilities discovered, steps taken during the assessment, exploitable areas discovered, and prioritized recommendations.  For any systems we are able to exploit, an “Attack Narrative” section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.

The report sample below is used as a quick reference to focus remediation and mitigation efforts on. The findings are ranked by risk rating and include recommendations, reference links for mitigation steps, and tester notes.

Top 10 Penetration Testing Decision Factors

If we do not find at least one vulnerability with a risk rating of Low or greater, we will refund 100% of your money, minus any incurred expenses.

Our purpose is simple — to make your organization secure

The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.