Web application penetration testing
Your web app is your biggest attack surface. We test it the way a motivated attacker would: logged in, reading your JavaScript, and probing every assumption your developers made.
What we test
OWASP Top 10 coverage is the floor. The findings that matter usually live in your application's own logic.
- Authentication and session management. Login flows, MFA, password reset, session fixation, token handling and account lockout behaviour.
- Access control. Horizontal and vertical privilege escalation, insecure direct object references (IDOR), and function-level authorisation gaps.
- Injection. SQL, NoSQL, OS command, template and LDAP injection across every input, header and parameter.
- Cross-site scripting and client-side flaws. Stored, reflected and DOM XSS, CSRF, clickjacking, CORS misconfiguration and postMessage abuse.
- Business logic. Workflow bypasses, race conditions, price and quantity manipulation, and abuse of features working exactly as designed.
- Platform and configuration. Security headers, TLS configuration, verbose errors, exposed admin panels and forgotten endpoints.
How we test it
We test authenticated, with at least one account per role you give us, because that's where the real risk is. Unauthenticated-only testing tells you very little about a modern application.
Automated scanning is used for breadth: mapping the attack surface and catching known-pattern issues quickly. Everything reported is then manually verified and extended by a tester who reads your responses, your JavaScript and your API traffic, and asks what the developers didn't think of.
Testing is typically performed against a staging environment that mirrors production, though we regularly test production under agreed rules of engagement. Either way you get daily check-ins and an immediate call if we find anything critical.
The full process, severity ratings and reporting format are described in our methodology.
What you get
- Executive summary. Risk posture and priorities in plain English, readable by non-technical stakeholders.
- Technical findings. Every issue with a CVSS rating, evidence, exact reproduction steps and a concrete remediation.
- Immediate alerts. Anything critical is raised with you the day we find it, not held back for the report.
- Free retest. Once you've fixed the findings, we verify the fixes and issue an updated report and attestation letter.
Get a fixed quote
Send us a rough description of the target and we'll come back with a sensible scope and a fixed price, usually within two business days.
Related: API penetration testing for the services behind your app, and our plain-English guide to pentesting.