Skip to main content
own2pwn

White-box Web Pentest

The code tells the truth. We read it line by line.

A white-box web penetration test, run by an OSWE-certified pentester with access to your source code, your architecture and ideally your infrastructure. Manual source-code review, SAST tooling triaged by hand, code-guided DAST, architecture review, configuration audit of servers, databases and cloud, cryptographic analysis. We surface the business-logic flaws, race conditions and broken crypto that black-box testing never sees. Strict NDA, code analysed in an isolated environment and deleted after the engagement. Executive and technical report with PoC, CVSS and prioritised remediation, retests included. This is the human depth that complements EASM (external surface) and SecAI (continuous AI SAST).

How an engagement runs

An engagement builds up in stages, from scoping to the re-test: reconnaissance, exploitation backed by proof of each flaw, real-world impact assessment, then a remediation-focused report. We come back to verify your fixes once they are in place.

Web whitebox pentest diagram: full access to the application internals (code, architecture) under scrutiny, leading to a detailed report.
With the code and architecture in front of us, we cover more surface and the report goes further.

Des tarifs lisibles, sans surprise.

Recommandé
5-day engagement
€3,000
  • Day rate €600 net, VAT not applicable (art. 293 B CGI)
  • Code review + architecture + configs + crypto
  • Executive and technical report, PoC, CVSS, prioritised remediation
  • 1 retest included to validate the fixes
  • Non-destructive, staging or pre-production by default
Request a quote
10-day engagement
€6,000
  • Day rate €600 net, VAT not applicable (art. 293 B CGI)
  • Wider scope: several modules, full architecture, infrastructure
  • Executive and technical report, PoC, CVSS, prioritised remediation
  • 2 retests included to validate the fixes
  • Debrief session and knowledge transfer
Request a quote
Custom
On request
  • On request, day rate €600 net
  • For a monorepo, multi-repos or a large scope
  • Number of days and retests adapted to the scope
  • Fix implementation as an option, separate package
  • Post-remediation attestation for compliance
Contact us

Fonctionnalités

Tout ce qu'il faut pour sécuriser, sans le superflu.

Manual source-code review

An OSWE pentester reads your code, not a scanner. We look for the logic flaws, exploitation chains and design mistakes that tools can't follow. The code is analysed read-only, in an isolated environment.

SAST tooling, false positives triaged by hand

We run static analysis tools to cover the volume, then triage every result manually. You get confirmed vulnerabilities with their real impact, not a raw list of 200 alerts where half is noise.

Code-guided DAST

Dynamic testing is driven by what reading the code revealed. We go straight to the sensitive endpoints and paths instead of probing blind, which makes exploitation faster and deeper than in black-box.

Architecture review

We look at how components talk to each other, where the trust boundaries sit, how authentication and authorisation are designed. Many serious flaws come from the architecture, not from a single line of code.

Configuration audit

Web servers, databases, cloud services. We check hardening, permissions, exposed secrets, headers, needless exposure. A default config left in place is often enough to open the door.

Cryptographic analysis

Review of how crypto is used in the code: algorithms, key management, randomness generation, password storage, signatures and tokens. Crypto mistakes are invisible from the outside and cost dearly in a breach.

Finding flaws invisible to black-box

Abused business logic, race conditions, inconsistent access controls, hard-coded secrets, vulnerable third-party dependencies. With the code in front of us, we find what an external test misses by design.

Comment ça marche

From scoping to the re-test.

  1. 01

    Scoping and audit agreement

    We define the scope, the repositories involved, the access needed and the engagement windows. NDA signed. Everything is bounded in writing before a single line is read. Scoping with no commitment.

  2. 02

    Reading the code and mapping

    Manual review of the source code, architecture and configurations, backed by SAST tools whose results we triage by hand. We reconstruct how the application really works and where the risk concentrates.

  3. 03

    Code-guided exploitation

    Dynamic tests targeted at the identified paths, manual exploitation within the written authorisation. Non-destructive, on staging or pre-production by default. We push through to real impact to qualify severity.

  4. 04

    Report, debrief and retest

    Executive and technical report delivered within 5 to 10 business days, with PoC, CVSS score and prioritised remediation. Debrief session, then retests included to verify the fixes hold.

Bénéfices

L'impact concret pour vos équipes.

01

You see the costliest flaws, not just the most visible ones

The vulnerabilities that hurt in production are rarely in a scanner's top 10. They are business-logic flaws, broken access controls, badly implemented crypto. Access to the code surfaces them before an attacker does.

02

Your code stays confidential and under control

NDA signed before the engagement, read-only access to the repository, analysis in an isolated environment, code deleted after the report is delivered. A CTO's number-one objection is handled in writing, not by a verbal promise.

03

Your developers level up

Debrief sessions and knowledge transfer are available: your teams understand where the flaws come from and how to avoid them. Implementing the fixes is offered as an option, as a separate package, if you want to go all the way.

Questions fréquentes

Ce que vous voulez probablement savoir.

Parlons de votre besoin.

Démo, devis ou question technique : réponse sous 48 h ouvrées.