Blackbox Vs Whitebox Testing
Web security tests typically come in two formats: Blackbox and Whitebox.
A blackbox is where the test is performed without any insightful knowledge about the target. In other words, the tester only knows that the target exists plus maybe how to reach it but no other information. These types of tests are typically lead by the process of discovery. Security issues are identified as the tester is exploring and learning more about the target.
Blackbox tests are often performed manually but automated tools are often used during the discovery process. Some types of tools such as scanners and fuzzers can also be used in order to learn more about how the system reacts on unexpected input.
A whitebox is where the test is performed with prior information about the target. In fact, the more information there is the better. Test information can come in many formats such as technical papers, network diagrams and even access to source code.
That being said, whitebox web application security tests are typically associated with static source code analysis. In other words, the test is performed as source code level. Depending on the code size and complexity, an automated tool can be used to pick up any low-handing-fruit.