Web Application Penetration Testing
With your written permission, we actively test your web application to find security weaknesses, including login flows, APIs, and how the application handles data. Unlike an external rating report, this is hands-on authorised testing with evidence of what we find.
Deliverables
What you actually receive
Every engagement ends with concrete artifacts your team can use. Not slides. Browse sample outputs below.
Finding detail
Reproducible steps, severity, and impact. Each finding documented like your team needs it.
Finding · PT-007
CVSS 9.1
SQL injection in search parameter
Affected: /api/v2/search · PostgreSQL 14 backend · auth-service pod
Reproduction steps
- 1.Navigate to /api/v2/search?q=test and confirm baseline JSON response
- 2.Inject payload: ' OR 1=1-- in the q parameter
- 3.Observe full user table returned including email, role, and last_login fields
- 4.Repeat with UNION SELECT to confirm read access to sessions table
- 5.Verify no WAF or rate limiting blocks repeated exploitation attempts
Impact
Unauthenticated read access to all user records including email addresses, password hashes, and session tokens. Enables account enumeration and credential stuffing follow-up.
Remediation
Parameterise all database queries via prepared statements. Deny-list SQL metacharacters at input layer. Add WAF rule on /api/v2/search. Rotate session secrets after fix.
Practical
What to expect
Who it's for, how we work together, and where we draw the line.
Best for
- Applications handling sensitive data, payments, or customer accounts
- Pre-release or major release security validation
- Contractual or procurement requirements for technical testing (not certification)
- Follow-up when an external rating report identified issues needing deeper validation
How the engagement runs
2. Written authorisation and scope confirmation before any testing
3. Hands-on testing within the agreed window (staging preferred; production by explicit agreement)
4. Finding validation, report drafting, and internal quality review
5. Report delivery with optional readout for engineering and risk teams involved
Honest boundaries
- Testing is bounded by scope, environment, and time. It is not exhaustive of all possible attack paths
- Staging environments are preferred; production testing requires explicit safeguards
- Findings describe risk observed in scope, not certification against any standard
- Remediation validation is a separate engagement if you need formal retest evidence
Engagement package
What you get. And what you don't.
Fixed outputs and scope, agreed before we start. No surprises afterward.
Web application penetration test report
- Finding register with severity, confidence, and remediation guidance
- Evidence summaries suitable for internal distribution (redacted)
- Executive summary for risk and engineering teams involved
- Retest recommendations where appropriate
Detailed examples are shown in the deliverables section above.
Starting from €2,500 excl. VATPricing guidance