Question: During a penetration test, a tester was able to retrieve credit card numbers. What type of test was this?

A. Vulnerability scan

B. White box test

C. Black box test

D. Compliance audit

Correct Answer: C. 

Explanation: 

Vulnerability scan: A vulnerability scan usually checks for known vulnerabilities in the system by using automated tools. While it might flag the potential risk associated with the storage or transmission of credit card numbers, it typically doesn't involve actively exploiting vulnerabilities to retrieve such data.

White box test: In a white box test, the tester has access to internal structures of the application, such as the source code. While it is theoretically possible to retrieve sensitive data like credit card numbers during a white box test, the primary focus of such tests is often to evaluate the internal logic and structure of the code, rather than exploiting vulnerabilities to extract data.

Black box test: In a black box test, the tester has no prior knowledge of the internal structures of the application. The tester acts like an external attacker and tries to exploit vulnerabilities in the system. Retrieving credit card numbers is more in line with what you'd expect in a black box test, where the tester is simulating an actual attack to find out what kind of data can be extracted from the system.

Compliance audit: A compliance audit checks if a system complies with specific guidelines or standards, like PCI DSS for credit card data. While an audit may discover that credit card numbers are not stored securely, the audit itself would typically not involve actively exploiting vulnerabilities to retrieve the data