News We are Working with Esteemed Law Enforcement Agencies to Fight Cybercrimes

Home » Blog » VAPT » What Is White Box Pentest? Explained

What Is White Box Pentest? Explained

author
Published By Stephen Mag
admin
Approved By Admin
Calendar
Published On August 1st, 2025
Calendar
Reading Time 3 Min Read

Hi readers, this article discusses what is white box pentest and how it works in real life? Discover tools used, key findings like SQLi & XSS, and lessons from testing internal systems.

This time I got the chance to do a white box pentest for a mid-size fintech org. Unlike black box, this one they gave me all the creds, source code, and internal API docs. Sound easy? Well, not really. Here’s what went down…

What Is White Box Pentest?

White box pentesting is where the client shares everything – codebases, infra diagrams, credentials, etc. The idea is to simulate what an insider attacker or rouge developer could do. You dig deep and find stuff that wouldn’t show up in a normal external scan.

Read Similar: Black Box Pentesting Definition

White Box Pentesting Starting: Setup & Access

The first few hours went just setting up the env. Docker containers all over the place. I swear, half my time has been to just figuring out how their dev infra works. They used a custom auth flow based on OAuth2 with some weird tweak I never saw before.

Source Code Auditing

Since I had access to the backend code, I ran Semgrep and manual review on the repo. Found a couple of issues:

  • Hardcoded AWS secret in a helper.py (yes, again in 2025)
  • SQL queries built using f-strings in 3 different modules, hello SQLi…
  • A debug endpoint (`/debug/logger`) that logged JWTs in plaintext. No auth needed. yikes.

White Box Pentesting from Inside

With creds, I was able to impersonate multiple user levels. The app didn’t have proper RBAC checks, so a basic user could hit admin-only APIs if they just knew the URL. I literally changed `role=user` to `role=admin` in the JWT and boom—full access.

Also tested their internal admin dashboard — XSS via a support chat feature. I sent `<img src=x onerror=alert(1)>` and it popped up in the agent panel. classic.

Takeaways

  1. The white box is not easy just because you have access. It’s even more work sometimes.
  2. Devs often don’t realise how exposed stuff is until someone maps it out.
  3. Always test both horizontally and vertically for access issues.
  4. Logging sensitive stuff = big no-no.

I learned that knowing the system inside can make you more dangerous than an outside hacker. Also that note-taking while testing is super important — I forgot one vuln location and had to dig back an hour to find it.

So, ya, that was my white box story. Little messy but real fun.

See u in the next write-up.