WEB APP
penetration testing.

Why web app pen testing matters.

Public web applications remain the #1 entry point for external attackers. The vast majority of breaches investigated in 2025 involved a web-tier weakness — broken authentication, injection, business logic flaws, or insecure direct object references chained with a misconfigured cloud component.

A web application penetration test simulates a determined attacker against your specific stack. We don’t just run a scanner and email you a PDF. We map your application, abuse trust boundaries, chain low-severity findings into critical exploits, and write up actionable remediation guidance your engineers can ship.

What we test.

Every engagement covers the full OWASP Top 10 for Web Applications, mapped to your application’s actual functionality:

Injection & data handling

• SQL, NoSQL, LDAP, and command injection (in-band, blind, time-based)
• Server-Side Request Forgery (SSRF) — cloud metadata abuse, port scanning, DNS rebinding
• XML External Entity (XXE) injection and deserialization attacks
• Cross-Site Scripting (XSS) — reflected, stored, DOM-based, and mXSS

Authentication & authorization

• Authentication bypass, password reset abuse, MFA bypass and downgrade
• Session management flaws — fixation, hijacking, predictable IDs
• Insecure Direct Object References (IDOR) and broken access control
• JWT attacks — algorithm confusion, weak secret, kid injection, token replay
• OAuth 2.0 and OpenID Connect misconfiguration

Business logic

• Race conditions in financial workflows, coupon stacking, payment tampering
• Multi-step process abuse and state machine violations
• Mass assignment and parameter tampering
• Rate-limit and anti-automation bypass

Modern frameworks & SPAs

• React, Vue, Angular — client-side prototype pollution, postMessage abuse
• GraphQL — introspection, batching, depth/complexity DoS, BOLA
• WebSocket and Server-Sent Events
• Service worker and offline cache poisoning

Our methodology.

We follow a structured five-phase methodology adapted from OWASP WSTG, PTES, and NIST SP 800-115:

1. Scoping & reconnaissance. We map your application surface — subdomains, endpoints, parameters, roles, and third-party integrations. A signed Letter of Authorization is issued before any active testing.
2. Threat modelling. We build a per-application threat model based on your business logic, user roles, and data flows. This drives which classes of vulnerability get prioritized.
3. Manual testing. Senior engineers test every endpoint by hand using Burp Suite Pro with custom extensions, supplemented by targeted automation. We don’t skip endpoints because they look boring.
4. Exploitation & impact. Each finding is exploited end-to-end with a documented proof-of-concept — HTTP requests, video walkthroughs for critical issues, and a clear blast-radius description.
5. Reporting & retest. You receive an executive summary, a technical report with PoCs, and a 30-day window to fix findings and request a free retest.

Tools & techniques.

Our core testing stack is built around manual analysis with tooling to scale, not the other way around:

For grey-box engagements we use Semgrep, CodeQL, and language-specific SAST to inform manual testing — never as a substitute.

Compliance & standards.

Our reports map findings to the compliance frameworks you actually report against:

• OWASP Top 10 (2021) and OWASP ASVS Level 2 / Level 3
• PCI-DSS v4.0 requirement 11.4.3 (application penetration testing)
• ISO/IEC 27001:2022 Annex A 8.8 (technical vulnerabilities)
• SOC 2 Type II Common Criteria CC7.1
• HIPAA § 164.308(a)(8) evaluation
• GDPR Article 32 (security of processing)
• UK Cyber Essentials Plus

What you receive.

• Board-ready executive summary — risk posture, key findings, business impact in plain English
• Full technical report — every finding with PoC, request/response evidence, CVSS v3.1 score, remediation guidance
• Finding matrix — CSV/JSON export ready for your ticketing system (Jira, Linear, GitHub Issues)
• Video PoCs for all critical and high-severity findings
• Remediation call — 60-minute walkthrough with your engineering team
• Free retest within 30 days — verification of fixes and a clean certificate of completion
• Letter of attestation suitable for sharing with customers, auditors, and procurement teams

Frequently asked questions.

How long does a web application penetration test take?

A typical web app VAPT takes 3–5 working days of testing plus 2–3 days for reporting. Complexity (number of user roles, endpoints, business logic depth) determines the exact effort. Larger platforms or multi-tenant SaaS apps may run 7–10 days.

What is the difference between a vulnerability scan and web app pen testing?

A vulnerability scan runs automated tools and produces a noisy list of potential issues, many of which are false positives. A web application penetration test is led by a human, exploits findings end-to-end, and demonstrates real business impact with a working proof-of-concept.

Do you test single-page applications and APIs together?

Yes. Modern SPAs are tested end-to-end including the JavaScript front end, the API tier (REST, GraphQL, WebSocket), and any third-party identity providers (Auth0, Okta, AWS Cognito). We map the entire attack surface before testing begins.

Is a free remediation retest included?

Yes. A free retest is included with every web app engagement for 30 days after the report is delivered. We verify your fixes and issue a clean certificate of completion confirming the original findings are resolved.

Can you test in production?

We prefer staging when available, but production testing is supported with rate-limiting agreements, restricted payloads, and a designated point of contact. We never run destructive payloads (delete, mass update) without explicit authorization.

Related services.

• API Security Testing — REST, GraphQL, gRPC
• Network Penetration Testing — external and internal
• Cloud Security Audit — AWS, Azure, GCP
• Red Team Operations — adversary simulation
• Read our case studies — real engagements, real findings