Black Box
The goal of a black box intrusion test, also called pen test, is succeeding to get into a system (the box) without having any prior information, such as a hacker discovering the system for the first time.
The pen tester has no knowledge of the environment and, from the outside, tries to find out how to get into the target system as an outside attacker.
Black box tests are most often used on showcase sites (with no member area) because no additional information would be required for the hacker to go further and perform an attack.
Black box tests therefore assess the risks and the kind of information the hacker would be able to obtain and thus to highlight the risks incurred in the case of an attack.
Grey Box
The method known as "grey box" consists in trying to penetrate the system with a limited amount of information on the organization and its information system. This makes it possible to check the vulnerabilities of a system by mimicking a site user or a collaborator of the company having internal access to some information. This could be the starting point of a hacker who would have managed to get access to a user account within the organization.
In general, during Grey Box test, the pentester is given identifiers and passwords allowing him to go beyond the authentication step. This approach is used in the case of a commercial site or a non-commercial site with a member area or customer area.
The pentester does not start completely in the dark. By having a limited amount of information, he can more easily simulate attacks and go beyond what he could have done in Black Box mode.