Authentication
Login, password handling, MFA, session lifecycle, OAuth flows, magic links, password reset, SSO assertion handling.
pentest · web app
Test the app attackers actually target.
Authentication, authorization, business logic, file handling, integrations. Manual exploitation against your single-page app, server-rendered app, or admin console. Findings come with working proof-of-concept code and a remediation track engineers can ship.
01. in scope
What we test.
Coverage maps to OWASP WSTG and PTES. Every test category in scope unless you say otherwise.
Authorization
Per-route checks, per-record IDOR, broken object-level authorization, role-based vs attribute-based, multi-tenant isolation.
Input handling
SQL injection, XSS (reflected/stored/DOM), command injection, SSRF, XXE, path traversal, file uploads, deserialization.
Business logic
Race conditions, replay, price tampering, voucher abuse, workflow bypass, time-of-check time-of-use, multi-step transactions.
Crypto + sessions
Token signing, JWT verification, session fixation, cookie flags, transport security, key management.
Third-party integrations
Webhook signature verification, OAuth callbacks, third-party SDK trust, embed contexts, postMessage handling.
02. methodology
Methodology Methodology.
OWASP WSTG v5 plus our own checklist for modern stacks (SPAs, GraphQL, JWT, OAuth, WebSockets).
- Recon + mappingDiscover the surface: routes, parameters, auth boundaries, hidden endpoints, JavaScript-defined paths. Use automated discovery as starting point, not the deliverable.
- Auth + session testingVerify every authentication and authorization control. Cross-tenant, cross-role, cross-record. JWT, OAuth, SAML flows.
- Manual exploitationEach candidate vulnerability worked end-to-end. PoC code, request and response captures, business impact assessment.
- Report + readoutFindings with severity (CVSS 4.0), exploit chain, fix guidance, retest checklist. Engineer Q&A call to walk the team through priorities.
03. deliverables
What you walk away with.
Web app pentest deliverables.
PDF + markdown report
20 to 50 pages depending on scope. Executive summary, finding catalog, methodology reference, remediation guidance.
Working PoCs per finding
Reproducible exploit code or step-by-step. Your engineers can verify every claim before triage.
OWASP coverage map
Which categories were tested, which surfaced findings, which were clean. Useful for audit evidence.
Retest within 30 days
One round of post-fix retest included. Each finding marked resolved or open with notes.
04. when
When teams hire us for this.
Common triggers for a web app pentest.
Before SOC 2 / ISO 27001 audit
You need a pentest report that names methodology (OWASP WSTG), severity (CVSS 4.0), and the named engineer. We deliver in the format auditors expect.
Before a public launch
The system goes live next month. You want a clean read before customers exercise the surface.
Post-major-refactor
Auth rewrite, multi-tenancy added, payment integration in. Verify the new code path before users find the holes.
Enterprise customer ask
Your largest pipeline deal asked for a recent pentest. Sales blocked until the report lands.
05. faq
Questions before the call.
Common questions for this engagement type. See main pentest FAQ for shared questions.
How long does a web app pentest take?
Typically 2–4 weeks of testing for a single SPA or server-rendered app, plus a week for the report and readout. Multi-app or complex business-logic engagements run 4–6 weeks.
SPA, server-rendered, or static — does it matter?
Slightly. SPAs need DOM-level XSS coverage and client-side route checks. Server-rendered apps shift more focus to session and template handling. We adapt the methodology to your stack.
Do you test against production?
Production for read-only checks; staging or a production-like environment for anything that could damage data. Agreed in writing before kickoff.
Test a web app?
30-minute scoping call covers the surface, timeline, and likely scope. Free, no NDA needed.