Web Application Penetration Test

Diese Seite ist auch auf Deutsch verfügbar.
A Web Application Penetration Test is a manual security assessment of a web application and its APIs, focused on the OWASP Top 10: broken access control, injection, authentication flaws, and business logic vulnerabilities.
Vulnerabilities in web applications can be very problematic. In the worst case, the entire web server is taken over or confidential customer data is stolen. Therefore, it is especially important to thoroughly test these applications.
Scope
Web applications are tested against the most critical vulnerability classes, with a focus on the OWASP Top 10. This includes:
- Access control testing: broken access control, privilege escalation, IDOR (accessing other users’ data by changing an ID in a request)
- Authentication and session flaws: weak password reset flows, session fixation, JWT misconfiguration
- Injection attacks: SQL injection, command injection, SSTI
- Server-side request forgery (SSRF) and insecure deserialization
- Business logic vulnerabilities: flaws in the application’s workflow that automated scanners cannot detect, such as skipping a payment or approval step
- Misconfigurations: security headers, TLS settings, error disclosure
- Review of third-party components: outdated libraries, known CVEs
- Implementation of Defense-in-Depth measures
Android mobile app testing is also available on request.
The specific test procedure and tested components will be discussed in a Scoping meeting.
Why
- Automated scanners catch the obvious issues; access control and business logic flaws (the ones that actually lead to data breaches) require a human tester
- A single IDOR or broken access control bug can expose your entire customer database
- Web applications change constantly. A test is a snapshot of security at a point in time, and regular testing catches regressions introduced by new features
Why VidraSec 🦦
I have worked in penetration testing and red teaming since 2017, and web applications are one of the most common entry points I test. Manual testing means I actually understand the application’s logic instead of relying on scanner signatures, and that’s where the vulnerabilities that matter are usually found.
Typical Duration
3 to 5 days of testing (depends on the size and complexity of the application). Reporting takes roughly 30 to 50% of the test time on top.
Typical Price
from 7,000 €
The final price depends on the scope of the project and the maturity level of your IT security. It is calculated individually based on the required effort.
Deliverables
Every engagement includes:
- Written findings report with all vulnerabilities, prioritized by severity, with remediation steps
- Management summary tailored to your audience (technical or executive)
- Live debriefing to walk through findings and answer questions
- Retesting after remediation available on request
See example reports for what a VidraSec report looks like.
Compliance
Relevant for GDPR (protection of customer data processed by the application) and ISO 27001.
Frequently asked questions
Is the test manual or automated?
It is primarily manual. Automated scanning supports the work, but the depth, and especially access control and business logic vulnerabilities, comes from manual testing by an experienced tester. Reports do not include automated scanner noise.Do you test APIs and mobile apps as well?
Yes. REST and GraphQL APIs are in scope, and Android mobile app testing is available on request. The exact components are agreed in the scoping meeting.Does the test require credentials or source code?
Most engagements are greybox, using valid user accounts to reach the parts of the application where the interesting vulnerabilities live. Source code is not required, though it can be included for a deeper review.How much does a web application penetration test cost?
From 7,000 euros. The final price depends on the size and complexity of the application and is calculated individually based on the required effort.Related Services
Related Blog Posts
- How Much Does a Penetration Test Cost?
- Pentest Provider Checklist for DACH SMBs
- What a NIS2-Ready Pentest Looks Like for a 50 to 500 Person Company
- Boutique Single-Operator Pentest vs. Large Firm vs. PTaaS: How to Choose
martin@vidrasec.com | +43 670 3081275 | +43 670 3081275 | Book appointment |