Last week, I wrote why we request two logins per privilege level. Today let me explain why we also request admin privileges. After all, why should a penetration tester be given admin privileges?! If we were doing a black box penetration test, then yes admin logins should not be provided. A black box test checks if outsiders can break in. A gray box test goes beyond that. In a gray box test, we check if insiders can escalate their privileges. Eg. can a customer become the admin? To test that, we login as the admin and as the customer. We study the admin's requests to figure out how a customer might fake a similar request. We then try the fake requests to see if they succeed. That's why we need the admin logins. Do we need admin logins on the OS, database and network too? No, we don't. We just need admin rights on the web application. That's enough to see if a remote user can escalate privileges to become an admin.