// Service

Web application penetration testing

Your web app is your biggest attack surface. We test it the way a motivated attacker would: logged in, reading your JavaScript, and probing every assumption your developers made.

Illustration of a web application login screen protected by a shield
// Coverage

What we test

OWASP Top 10 coverage is the floor. The findings that matter usually live in your application's own logic.

  • Authentication and session management. Login flows, MFA, password reset, session fixation, token handling and account lockout behaviour.
  • Access control. Horizontal and vertical privilege escalation, insecure direct object references (IDOR), and function-level authorisation gaps.
  • Injection. SQL, NoSQL, OS command, template and LDAP injection across every input, header and parameter.
  • Cross-site scripting and client-side flaws. Stored, reflected and DOM XSS, CSRF, clickjacking, CORS misconfiguration and postMessage abuse.
  • Business logic. Workflow bypasses, race conditions, price and quantity manipulation, and abuse of features working exactly as designed.
  • Platform and configuration. Security headers, TLS configuration, verbose errors, exposed admin panels and forgotten endpoints.
// Approach

How we test it

We test authenticated, with at least one account per role you give us, because that's where the real risk is. Unauthenticated-only testing tells you very little about a modern application.

Automated scanning is used for breadth: mapping the attack surface and catching known-pattern issues quickly. Everything reported is then manually verified and extended by a tester who reads your responses, your JavaScript and your API traffic, and asks what the developers didn't think of.

Testing is typically performed against a staging environment that mirrors production, though we regularly test production under agreed rules of engagement. Either way you get daily check-ins and an immediate call if we find anything critical.

The full process, severity ratings and reporting format are described in our methodology.

// Deliverables

What you get

  • Executive summary. Risk posture and priorities in plain English, readable by non-technical stakeholders.
  • Technical findings. Every issue with a CVSS rating, evidence, exact reproduction steps and a concrete remediation.
  • Immediate alerts. Anything critical is raised with you the day we find it, not held back for the report.
  • Free retest. Once you've fixed the findings, we verify the fixes and issue an updated report and attestation letter.

Get a fixed quote

Send us a rough description of the target and we'll come back with a sensible scope and a fixed price, usually within two business days.

Related: API penetration testing for the services behind your app, and our plain-English guide to pentesting.