You can't secure
what you
can't see.

We surface your unknown attack surface before attackers do it for you.

Everything you wish you had before the next incident.

Discover every exposed asset — domains, IPs, certificates, APIs. Continuously monitor and get alerted before attackers map your perimeter for you.

24/7

continuous monitoring

CVE

integrated NVD feed

API

exports & webhooks

Discover EASM

An agent that reads
your code.

Contextual SAST, a pentest agent that retests scope between engagements, and report drafts reviewed by a human before delivery.

SAST

contextual, multi-file

Agent

retests on every deploy

CI/CD

GitHub, GitLab, Jenkins

Meet the agent

Your application,
as an attacker sees it.

External penetration testing with no source-code access. Real-world attacker techniques, delivered as a prioritised, actionable report.

OWASP

Top 10 + PTES

5–10 d

report after testing

OSWE

certified consultant

Request a quote

OWN2PWN·Rapport d'audit · v1.0

CONFIDENTIELDIFFUSION RESTREINTE

P. 01

— Rapport d'audit

Pentest Web
Blackbox

ClientACME CORP

EngagementENG-2024-0024

Période03 - 14 mai 2024

Scope*.acme.com (5 hosts)

MéthodologieOWASP WSTG · PTES

5

findings

1

critique

12 j

livraison

Auditeurs : A. Verna (lead), M. Dubois
Document signé électroniquement

P. 12

§ 4.2Findings techniques/12

HIGH

BBX-02·CVSS 8.6

Server-Side Template Injection — Jinja2

// Payload

POST /api/templates/render

Content-Type: application/json

{ "name": "{{7*7}}" }

200 OK

{ "rendered": "49" }

// Confirmé : exec via {{ config.__class__... }}

Impact : RCE sur le service de rendering. Sandbox Jinja2 contournable via accès au global __class__.

Synthèse — 5 findings retenus

CRITBBX-01Boolean-based SQLiPOST /api/auth/login

HIGHBBX-02Server-Side Template InjectionPOST /api/templates/render

HIGHBBX-03Stored XSSPOST /api/comments

HIGHBBX-04Server-Side Prototype PollutionPOST /api/cart/merge

MEDBBX-05Client-Side Path TraversalGET /download?file=

own2pwn · audit-blackbox-2024-0024Page 12 sur 47

Deep audit,
not surface scanning.

Access to source code, architecture, and infrastructure. Led by an OSWE-certified expert, to surface what automated tools miss.

OSWE

OffSec certification

SAST

+ manual review

Git

repository-level analysis

Request a quote

OWN2PWN·Rapport d'audit · v1.0 · révisé

CONFIDENTIELDIFFUSION RESTREINTE

P. 01

— Rapport d'audit

Pentest Web
Whitebox

ClientACME CORP

EngagementENG-2024-0029

Période04 - 28 juin 2024

Codebase847 fichiers · 42 k LOC

StackPython · Django · PostgreSQL

MéthodologieSAST + revue manuelle + threat-modeling

OSWE — OffSec

Lead auditor · cert. #OS-19847

7

findings

2

critiques

48 h

rapport

Auditeurs : A. Verna (lead OSWE), J. Mercier
Document signé électroniquement

P. 23

§ 5.1Findings de revue de codeCRITIQUE

CRITIQUE

WBX-01·CVSS 9.8auth/session.py

Désérialisation pickle non signée — RCE pré-authentification

83def restore_session(token: str) -> User:

84 raw = base64.b64decode(token)

85 user = pickle.loads(raw) # ← sink, attaquant-contrôlé

86 return user

Chemin : cookie.session → middleware.SessionMiddleware → pickle.loads. Aucun HMAC. Gadget chain démontrée via __reduce__.

Recommandation

Migrer vers itsdangerous.URLSafeTimedSerializer avec rotation de clé, ou JWT signé HS256/Ed25519. PoC fournie en annexe B.3.

Synthèse — 7 findings revue de code

CRITWBX-01Désérialisation pickle non signéeauth/session.py:85

CRITWBX-02Secret JWT hardcodé en fallbackconfig/jwt.py:14

HIGHWBX-03TOCTOU sur validation uploadapi/files.py:47

HIGHWBX-04Mass assignment via User.update(**body)api/users.py:122

HIGHWBX-05AES-ECB sur données sensiblescrypto/wallet.py:31

MEDWBX-06SSRF via résolveur DNS interneintegrations/webhook.py:58

MEDWBX-07Coupon stacking via race sur le paniercart/checkout.py:213

own2pwn · audit-whitebox-2024-0029 · OSWE-certifiedPage 23 sur 78

Let's talk about your
attack surface.

Demo, quote, or technical question: we reply within 48 business hours.

Get in touch contact@own2pwn.fr

You can't securewhat youcan't see.

Everything you wish you had before the next incident.

An agent that readsyour code.

Your application,as an attacker sees it.

Deep audit,not surface scanning.

Let's talk about yourattack surface.

You can't secure
what you
can't see.

An agent that reads
your code.

Your application,
as an attacker sees it.

Deep audit,
not surface scanning.

Let's talk about your
attack surface.