Features

Whitebox Testing

Overview

Whitebox testing leverages full access to your application’s source code to perform comprehensive security testing with better coverage, more reliable results, and the ability to provide automated fixes. This approach combines static analysis with dynamic testing to identify vulnerabilities that blackbox testing might miss.

How Whitebox Testing Works

When you provide source code access (via VCS integration or zip upload), Pensar performs advanced security testing:

1

Source Code Analysis

AI agents analyze your codebase to understand: - Application architecture and data flows - All routes, endpoints, and entry points - Authentication and authorization logic - Database schemas and queries - Third-party dependencies and integrations

2

Attack Surface Generation

Using source code insights, Pensar generates a comprehensive attack surface map with detailed understanding of each endpoint’s internal behavior.

3

Environment Testing

Tests are executed against your live environment using one of two approaches: - Sandbox Testing: Start your dev environment in an isolated sandbox (if configured) - Live Environment Testing: Test against your deployed staging or production environment

4

Dynamic Testing

The AI agent executes pentest objectives with full knowledge of the application internals, testing for vulnerabilities with high precision.

Testing Approaches

If your application is configured for sandbox deployment, Pensar can:

  1. Create an isolated sandbox environment using container technology
  2. Clone your repository into the sandbox
  3. Automatically detect and start your development environment:
    • Looks for docker-compose.yml or docker-compose.yaml
    • If not present, analyzes your application to determine service requirements
    • Creates Docker Compose configuration if needed (databases, caches, message queues)
  4. Start all services and wait for health checks to pass
  5. Execute comprehensive testing with full environment access
  6. Tear down the environment when testing completes

Sandbox testing is ideal for applications with complex dependencies, providing safe, isolated testing with automatic environment setup.

Sandbox Configuration

The AI agent automatically handles environment setup:

  • Docker Compose Detection: Finds and uses existing docker-compose files
  • Service Discovery: Identifies databases, caches, and other dependencies from your code
  • Automatic Configuration: Creates docker-compose.yml if needed based on your app’s requirements
  • Health Monitoring: Waits for all services to be healthy before testing
  • Iterative Troubleshooting: Fixes configuration issues automatically

You can disable sandbox environments in project settings if you prefer to test only against live deployments.

Benefits of Whitebox Testing

Complete Coverage

Test all code paths, including those not accessible through normal user flows. Source code analysis reveals hidden endpoints and logic.

Accurate Results

Dramatically reduce false positives by understanding the actual implementation. Verify vulnerabilities with confidence.

Business Logic Testing

Identify complex business logic vulnerabilities that require understanding of application internals and workflows.

Auto-Remediation

Enable automatic vulnerability fixes with AI-generated patches verified against your codebase.

Faster Testing

Skip time-consuming reconnaissance. Direct analysis of source code accelerates vulnerability discovery.

Context-Aware

Understand the purpose and context of each endpoint, leading to more relevant and actionable findings.

Vulnerability Detection

Whitebox testing provides enhanced detection capabilities:

Advanced Vulnerability Types

Identify vulnerabilities that require source code analysis:

  • Hardcoded credentials and secrets
  • Insecure cryptographic implementations
  • Race conditions in concurrent code
  • Memory safety issues
  • Unsafe deserialization
  • Path traversal vulnerabilities in file operations

Detect complex business logic vulnerabilities: - Improper authorization checks

  • State management issues - Price manipulation vulnerabilities - Workflow bypass vulnerabilities - Time-of-check to time-of-use (TOCTOU) issues

Trace data flows through your application: - SQL injection across multiple layers - XSS vulnerabilities through template rendering - Command injection in system calls - Sensitive data exposure in logs - Insecure data storage

Analyze third-party dependencies:

  • Known vulnerable package versions
  • Insecure dependency configurations
  • Supply chain security risks
  • Outdated framework versions

Code-to-Vulnerability Mapping

One of the most powerful features of whitebox testing is precise vulnerability localization:

Every vulnerability is mapped to specific files, functions, and line numbers in your source code, making remediation straightforward.

Vulnerability Report Details

Each finding includes:

  • Affected Files: Exact file paths where the vulnerability exists
  • Line Numbers: Specific lines of code containing the vulnerability
  • Code Context: Surrounding code for understanding the issue
  • Data Flow: How user input reaches the vulnerable code
  • Proof-of-Concept: Working exploit demonstrating the vulnerability
  • Fix Recommendation: Specific code changes to remediate the issue

Auto-Remediation Integration

Whitebox testing enables Pensar’s auto-remediation capabilities:

1

Vulnerability Discovery

Whitebox testing identifies a vulnerability with precise code location.

2

Automatic Fix Generation

AI generates a fix based on the vulnerability type, code context, and best practices.

3

Fix Verification

The generated POC is re-run to verify the fix resolves the vulnerability.

4

Pull Request Creation

If configured, Pensar automatically opens a PR with the fix in your repository.

Continuous Whitebox Testing

Integrate whitebox testing into your development workflow:

Event-Based Testing

Automatically test changes in pull requests:

  • Tests run on every PR
  • Focus on changed files and affected code paths
  • Results posted as PR comments
  • Block merging if critical vulnerabilities are found

Test on every commit to specific branches: - Continuous security validation - Rapid feedback on new code - Prevent vulnerabilities from reaching production

Run comprehensive tests on a schedule:

  • Daily, weekly, or monthly testing
  • Full application coverage
  • Detect regressions and new attack surfaces

Best Practices

Ensure Pensar has access to all application code:

  • Include all microservices and dependencies
  • Provide configuration files and environment setup
  • Include database schemas and migrations
  • Share API contracts and documentation

Test against staging before production: - Reduce risk of service disruption - Test with production-like data and configurations - Validate fixes in staging before production deployment

Provide authentication credentials for comprehensive testing: - Enable testing of authenticated endpoints - Test authorization and access control - Discover privilege escalation vulnerabilities

Take advantage of automatic fixes: - Configure PR creation for approved fixes - Set severity thresholds for auto-remediation - Review and merge fixes promptly

Stay informed about testing activities:

  • Review real-time testing progress in the console
  • Address findings as they’re discovered
  • Track remediation progress

Whitebox vs. Blackbox Comparison

AspectWhitebox TestingBlackbox Testing
Source CodeRequiredNot required
CoverageComplete - all code pathsLimited - accessible endpoints only
AccuracyVery high - few false positivesModerate - more false positives
Testing SpeedFast - direct analysisSlower - requires discovery
Vulnerability TypesAll types including code-levelExternal vulnerabilities only
Auto-RemediationAvailableNot available
Business LogicExcellent detectionLimited detection
Setup ComplexityModerate - requires code accessLow - only needs domains

For the most comprehensive security coverage, whitebox testing is strongly recommended when source code access is available.

Next Steps

Auto-Remediation

Learn how to automatically fix vulnerabilities discovered in whitebox testing.

Adding Domains

Configure domains for testing against live environments.

Authentication

Set up authentication for testing protected application areas.

Attack Surface Mapping

Understand how source code analysis enhances attack surface mapping.