COOKIE POLICY

PENTEST-ONLINE.COM uses technical, analytical, session and advertising cookies in order to provide a better service. However, we need your explicit consent to use them. You can also change the cookie settings or obtain more information here .

WHITE BOX

External and internal attack

Product information

Pentesting Service: Comprehensive Evaluation with Full Access (White Box)

What is a White Box Test?

This service combines internal and external attack simulations with full system access, providing an exhaustive evaluation of your website or API's security. The goal is to identify vulnerabilities from every angle, replicating realistic attack scenarios from actors with full or partial access.

Why Choose Our White Box Pentesting Service?

1. Report valid for official audits

Our report meets the requirements for:

  • Internal and external audits.
  • Security certifications and compliance with standards like ISO 27001, GDPR, ENS, or PCI DSS.

The report includes:

  • Detailed evidence and clear descriptions.
  • Prioritization of vulnerabilities based on criticality.
  • Actionable recommendations to enhance security.

2. Advanced simulation of internal and external attacks

We simulate realistic attacks from all perspectives:

  • External actors: With no prior access to the system.
  • Internal actors: With full access, including credentials, source code, and architecture.

Our methodology:

  • Automated testing to identify common vulnerabilities.
  • Manual evaluation to uncover weaknesses across all system layers.

3. Adaptable analysis for any environment

Regardless of your technology stack, our analysis is compatible with:

  • Languages: PHP, Java, Python, C#, Node.js, Ruby.
  • Frameworks: Django, Laravel, Spring, Express.js.
  • CMS platforms: WordPress, Joomla, Drupal, Magento.
  • APIs: REST, GraphQL, SOAP.
  • Infrastructure: Cloud, hybrid, or on-premises setups.

4. Comprehensive coverage

We detect critical vulnerabilities, including:

  • Authentication and authorization: Issues with access and permission management.
  • Privilege escalation: Identification of paths to gain administrative control.
  • SQL Injection and XSS: Database and script exploits.
  • Configuration errors: Misconfigured CORS policies, HTTP headers, and more.
  • Source code evaluation: Detection of insecure practices or critical errors.

5. Delivery within 72 hours

In just three days, you’ll receive a complete report, ready to share with your technical or management teams.

Key Benefits for Your Organization

  • Total system coverage: Identify internal and external vulnerabilities for comprehensive protection.
  • Defense against extreme scenarios: Evaluate your system’s ability to withstand even the most sophisticated attacks.
  • Quality improvement: Receive recommendations to strengthen your code and configurations.
  • Regulatory compliance: Align with the most recognized security standards.
  • Comprehensive report: Includes visual evidence, technical descriptions, criticality levels, and actionable steps.

What’s Included in Your Report?

  • Clear and technical descriptions of detected vulnerabilities.
  • Visual evidence and explanations of their impact.
  • Prioritization by level of criticality.
  • Detailed, actionable recommendations for mitigation.

Ensure total protection for your organization from all angles.
Order our White Box Pentesting service and receive an official report designed to enhance your system’s security and meet industry standards.

Guaranteed delivery within 72 hours.

+281 Vulnerabilities

+281 Vulnerabilities
NAME
GRAVITY
CLASSIFICATIONS
OS command injection
High
CWE-77 CWE-78 CWE-116
SQL injection
High
CWE-89 CWE-94 CWE-116
SQL injection (second order)
High
CWE-89 CWE-94 CWE-116
ASP.NET tracing enabled
High
CWE-10 CWE-11
File path traversal
High
CWE-22 CWE-23 CWE-35 CWE-36
XML external entity injection
High
CWE-611
LDAP injection
High
CWE-90 CWE-116
XPath injection
High
CWE-94 CWE-116 CWE-159 CWE-643
XML injection
Medium
CWE-91 CWE-116 CWE-159 CWE-611 CWE-776
ASP.NET debugging enabled
Medium
CWE-11
Broken Access Control
Information
CWE-284
HTTP PUT method is enabled
High
CWE-650
Out-of-band resource load (HTTP)
High
CWE-610 CWE-918
File path manipulation
High
CWE-22 CWE-23 CWE-35 CWE-36
PHP code injection
High
CWE-94 CWE-116 CWE-159
Server-side JavaScript code injection
High
CWE-94 CWE-95 CWE-116
Perl code injection
High
CWE-94 CWE-95 CWE-116
Ruby code injection
High
CWE-94 CWE-95 CWE-116
Python code injection
High
CWE-94 CWE-95 CWE-116
Expression Language injection
High
CWE-116 CWE-159 CWE-917
Unidentified code injection
High
CWE-94 CWE-95 CWE-116
Server-side template injection
High
CWE-94 CWE-95 CWE-116
SSI injection
High
CWE-96 CWE-116 CWE-159
Cross-site scripting (stored)
High
CWE-79 CWE-80 CWE-116 CWE-159
HTTP request smuggling
High
CWE-444
Client-side desync
High
CWE-444
Web cache poisoning
High
CWE-436
HTTP response header injection
High
CWE-113
Cross-site scripting (reflected)
High
CWE-79 CWE-80 CWE-116 CWE-159
Client-side template injection
High
CWE-116 CWE-159
Cross-site scripting (DOM-based)
High
CWE-79 CWE-80 CWE-116 CWE-159
Cross-site scripting (reflected DOM-based)
High
CWE-79 CWE-80 CWE-116 CWE-159
Cross-site scripting (stored DOM-based)
High
CWE-79 CWE-80 CWE-116 CWE-159
Client-side prototype pollution
Information
CWE-1321
JavaScript injection (DOM-based)
High
CWE-94 CWE-95 CWE-116
JavaScript injection (reflected DOM-based)
High
CWE-94 CWE-95 CWE-116
JavaScript injection (stored DOM-based)
High
CWE-94 CWE-95 CWE-116
Path-relative style sheet import
Information
CWE-16
Client-side SQL injection (DOM-based)
High
CWE-89 CWE-116 CWE-159
Client-side SQL injection (reflected DOM-based)
High
CWE-89 CWE-116 CWE-159
Client-side SQL injection (stored DOM-based)
High
CWE-89 CWE-116 CWE-159
WebSocket URL poisoning (DOM-based)
High
CWE-345 CWE-346 CWE-441
WebSocket URL poisoning (reflected DOM-based)
High
CWE-345 CWE-346 CWE-441
WebSocket URL poisoning (stored DOM-based)
High
CWE-345 CWE-346 CWE-441
Local file path manipulation (DOM-based)
High
CWE-22 CWE-73
Local file path manipulation (reflected DOM-based)
High
CWE-22 CWE-73
Local file path manipulation (stored DOM-based)
High
CWE-22 CWE-73
Client-side XPath injection (DOM-based)
Low
CWE-79 CWE-116 CWE-159
Client-side XPath injection (reflected DOM-based)
Low
CWE-79 CWE-116 CWE-159
Client-side XPath injection (stored DOM-based)
Low
CWE-79 CWE-116 CWE-159
Client-side JSON injection (DOM-based)
Low
CWE-79 CWE-116 CWE-159
Client-side JSON injection (reflected DOM-based)
Low
CWE-79 CWE-116 CWE-159
Client-side JSON injection (stored DOM-based)
Low
CWE-79 CWE-116 CWE-159
Flash cross-domain policy
High
CWE-942
Silverlight cross-domain policy
High
CWE-942
Content security policy: allowlisted script resources
Information
CWE-79 CWE-80 CWE-116 CWE-159
Content security policy: allows untrusted script execution
Information
CWE-79 CWE-80 CWE-116 CWE-159
Content security policy: allows untrusted style execution
Information
CWE-116 CWE-159
Content security policy: malformed syntax
Information
Content security policy: allows clickjacking
Information
CWE-693 CWE-1021
Content security policy: allows form hijacking
Information
CWE-116
Content security policy: not enforced
Information
GraphQL endpoint found
Information
GraphQL endpoint discovered
Information
GraphQL introspection enabled
Low
CWE-200
GraphQL suggestions enabled
Low
CWE-200
GraphQL content type not validated
Low
CWE-352
Cross-origin resource sharing
Information
CWE-942
Cross-origin resource sharing: arbitrary origin trusted
High
CWE-942
Cross-origin resource sharing: unencrypted origin trusted
Low
CWE-942
Cross-origin resource sharing: all subdomains trusted
Low
CWE-942
Web cache deception
Medium
Cross-site request forgery
Medium
CWE-352
SMTP header injection
Medium
CWE-93 CWE-159
JWT signature not verified
High
CWE-345 CWE-347
JWT none algorithm supported
High
CWE-345
JWT self-signed JWK header supported
High
JWT weak HMAC secret
High
JWT arbitrary jku header supported
High
JWT arbitrary x5u header supported
High
Cleartext submission of password
High
CWE-319
External service interaction (DNS)
Information
CWE-918 CWE-406
External service interaction (HTTP)
High
CWE-918 CWE-406
External service interaction (SMTP)
Information
CWE-16 CWE-406
Referer-dependent response
Information
CWE-16 CWE-213
Spoofable client IP address
Information
CWE-16
User agent-dependent response
Information
CWE-16
Password returned in later response
Medium
CWE-204
Password submitted using GET method
Low
CWE-598
Password returned in URL query string
Low
CWE-598
SQL statement in request parameter
Medium
CWE-598
Cross-domain POST
Information
CWE-16
ASP.NET ViewState without MAC enabled
High
CWE-642
XML entity expansion
Medium
CWE-776
Long redirection response
Information
CWE-698
Serialized object in HTTP message
High
CWE-502
Duplicate cookies set
Information
CWE-16
Input returned in response (stored)
Information
CWE-20 CWE-116
Input returned in response (reflected)
Information
CWE-20 CWE-116
Suspicious input transformation (reflected)
Information
CWE-20
Suspicious input transformation (stored)
Information
CWE-20
Request URL override
Information
CWE-436
Vulnerable JavaScript dependency
Low
CWE-1104
Open redirection (reflected)
Low
CWE-601
Open redirection (stored)
Medium
CWE-601
Open redirection (DOM-based)
Low
CWE-601
Open redirection (reflected DOM-based)
Low
CWE-601
Open redirection (stored DOM-based)
Medium
CWE-601
TLS cookie without secure flag set
Medium
CWE-614
Cookie scoped to parent domain
Low
CWE-16
Cross-domain Referer leakage
Information
CWE-200
Cross-domain script include
Information
CWE-829
Cookie without HttpOnly flag set
Low
CWE-16
Session token in URL
Medium
CWE-200 CWE-384 CWE-598
Password field with autocomplete enabled
Low
CWE-200
Password value set in cookie
Medium
CWE-287
File upload functionality
Information
CWE-434
Frameable response (potential Clickjacking)
Information
CWE-693 CWE-1021
Browser cross-site scripting filter disabled
Information
CWE-16
HTTP TRACE method is enabled
Information
CWE-16
Cookie manipulation (DOM-based)
Low
CWE-565 CWE-829
Cookie manipulation (reflected DOM-based)
Low
CWE-565 CWE-829
Cookie manipulation (stored DOM-based)
Low
CWE-565 CWE-829
Ajax request header manipulation (DOM-based)
Low
CWE-116
Ajax request header manipulation (reflected DOM-based)
Low
CWE-116
Ajax request header manipulation (stored DOM-based)
Low
CWE-116
Denial of service (DOM-based)
Information
CWE-400
Denial of service (reflected DOM-based)
Information
CWE-400
Denial of service (stored DOM-based)
Low
CWE-400
HTML5 web message manipulation (DOM-based)
Information
CWE-20
HTML5 web message manipulation (reflected DOM-based)
Information
CWE-20
HTML5 web message manipulation (stored DOM-based)
Information
CWE-20
HTML5 storage manipulation (DOM-based)
Information
CWE-20
HTML5 storage manipulation (reflected DOM-based)
Information
CWE-20
HTML5 storage manipulation (stored DOM-based)
Information
CWE-20
Link manipulation (DOM-based)
Low
CWE-20
Link manipulation (reflected DOM-based)
Low
CWE-20
Link manipulation (stored DOM-based)
Low
CWE-20
Link manipulation (reflected)
Information
CWE-73 CWE-20
Link manipulation (stored)
Information
CWE-73 CWE-20
Document domain manipulation (DOM-based)
Medium
CWE-20
Document domain manipulation (reflected DOM-based)
Medium
CWE-20
Document domain manipulation (stored DOM-based)
Medium
CWE-20
DOM data manipulation (DOM-based)
Information
CWE-20
DOM data manipulation (reflected DOM-based)
Information
CWE-20
DOM data manipulation (stored DOM-based)
Information
CWE-20
CSS injection (reflected)
Medium
CWE-73 CWE-20
CSS injection (stored)
Medium
CWE-73 CWE-20
Client-side HTTP parameter pollution (reflected)
Low
CWE-233 CWE-20
Client-side HTTP parameter pollution (stored)
Low
CWE-233 CWE-20
Form action hijacking (reflected)
Medium
CWE-73 CWE-20
Form action hijacking (stored)
Medium
CWE-73 CWE-20
Database connection string disclosed
Medium
CWE-15 CWE-497
Source code disclosure
Low
CWE-18 CWE-200 CWE-388 CWE-540 CWE-541 CWE-615
Backup file
Information
CWE-530
Directory listing
Information
CWE-538 CWE-548
Email addresses disclosed
Information
CWE-200
Private IP addresses disclosed
Information
CWE-200
Social security numbers disclosed
Information
CWE-200
Credit card numbers disclosed
Information
CWE-200 CWE-388
Private key disclosed
Information
CWE-200 CWE-388
Robots.txt file
Information
CWE-200
Json Web Key Set disclosed
Information
CWE-200
JWT private key disclosed
High
CWE-200
Cacheable HTTPS response
Information
CWE-524 CWE-525
Base64-encoded data in parameter
Information
CWE-310 CWE-311
Multiple content types specified
Information
CWE-436
HTML does not specify charset
Information
CWE-16 CWE-436
HTML uses unrecognized charset
Information
CWE-16 CWE-436
Content type incorrectly stated
Low
CWE-16 CWE-436
Content type is not specified
Information
CWE-16
TLS certificate
Medium
CWE-295 CWE-326 CWE-327
Unencrypted communications
Low
CWE-326
Strict transport security not enforced
Low
CWE-523
Mixed content
Information
CWE-16 CWE-319
Hidden HTTP 2
Information
CWE-912
Extension generated issue
Information
BCheck generated issue
Information

Report

Sample report

Process

The process
BUY NOW

WHITE BOX
PENETRATION
TESTING

All inclusive
599€
Enviado correctamente.

Gracias por confiar en Q2BStudio