Black Box vs White Box
Black box (external only)
Tests your application from the outside, like an attacker would. No access to source code.
Tools included (11):
| Tool | Category | What it tests |
|---|---|---|
| Nmap | Network | Open ports, services, versions |
| OWASP ZAP | Web app | XSS, injection, CSRF, misconfigurations |
| Nuclei | Web app | Known CVEs, misconfigurations, exposures |
| Nikto | Web app | Dangerous files, outdated server software |
| FFUF | Web app | Hidden directories, backup files |
| OpenVAS | Vulnerability | Full network vulnerability assessment |
| TestSSL | SSL/TLS | Certificate issues, weak ciphers, protocol vulnerabilities |
| Subfinder | Recon | Subdomain enumeration |
| HTTPX | Recon | HTTP response probing, tech detection |
| Wafw00f | Recon | WAF detection and fingerprinting |
| PentestTools | Multi | Additional vulnerability checks |
When to use: You do not have a GitHub repository, or you only want to test the external attack surface.
White box (external + code analysis)
Everything in black box, plus static analysis of your source code via GitHub.
Additional tools (3):
| Tool | Category | What it tests |
|---|---|---|
| Semgrep | SAST | Code-level vulnerabilities, insecure patterns |
| Trivy | SCA | Vulnerable dependencies in package files |
| Gitleaks | Secrets | Hardcoded API keys, tokens, passwords in code |
Requirements:
- GitHub repository connected via OAuth or GitHub App
- Repository access granted to TurboPentest
When to use: You have a GitHub repository and want comprehensive coverage including code-level vulnerabilities that cannot be found from outside.
Setting up GitHub access
See GitHub Connection for setup instructions.