04 / 10

Web Application Penetration Testing

We assess your websites for real-world security flaws like injections, broken access control, and logic bugs, ensuring attackers can't exploit what your users rely on.

Web Application Penetration Testing illustration

What is Web Application Penetration Testing?

Web application penetration testing is a security assessment that simulates real-world attacks against your web application to identify vulnerabilities in authentication, authorization, input validation, session management, and business logic, going beyond automated scanning to find flaws specific to how your product works.

Testing Checklist

Every engagement covers these critical security areas.

SQL & NoSQL injection (all input vectors)
Reflected, Stored & DOM-based XSS
Cross-Site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
Broken authentication & session management
Insecure Direct Object References (IDOR)
Horizontal & vertical privilege escalation
File upload and path traversal
Security misconfiguration
Sensitive data exposure in responses
Business logic bypass testing
Rate limiting and brute force protection

Testing Methodology

A structured, repeatable process that ensures thorough coverage and actionable results.

STEP 01

Reconnaissance & Mapping

Map application architecture, identify endpoints, authentication flows, and technology stack through automated and manual discovery.

STEP 02

Authentication & Session Testing

Test login mechanisms, session management, password policies, MFA implementation, and account lockout controls.

STEP 03

Injection & Input Validation

Test all input vectors for SQL, NoSQL, OS command, LDAP, and XPath injection vulnerabilities with manual and tool-assisted techniques.

STEP 04

Access Control Testing

Verify horizontal and vertical access controls, IDOR vulnerabilities, privilege escalation paths, and role-based access enforcement.

STEP 05

Business Logic Testing

Identify workflow bypass, race conditions, price manipulation, and other logic flaws that automated scanners miss.

STEP 06

Reporting & Remediation

Deliver detailed report with risk-rated findings, reproduction steps, and developer-friendly remediation guidance.

Want to scope your web application pentest engagement? Both founders take the discovery call.

Framework Alignment

Our methodology is aligned with industry-recognized security frameworks for thorough coverage and compliance readiness.

OWASP Top 10OWASP WSTGOWASP ASVSPTES

Compliance Coverage

ISO
ISO 27001
A.14: System acquisition, development and maintenance
SOC
SOC 2
CC6.1: Logical and physical access controls

Deliverables

What you walk away with at the end of every engagement.

01

Executive summary for stakeholders

02

Technical findings with severity ratings

03

Step-by-step reproduction instructions

04

Remediation guidance per vulnerability

05

Compliance mapping: ISO 27001, SOC 2 (Growth plan)

06

Free retest within 30 days

Frequently Asked Questions

What is web application penetration testing?

Web application penetration testing is a security assessment that simulates real-world attacks against your web application to identify vulnerabilities in authentication, authorization, input validation, session management, and business logic, going beyond automated scanning to find flaws specific to how your product works.

How long does a web application pentest take?

A single-scope web application pentest takes 7 calendar days with our Startup plan (₹74,999). The Growth plan provides 10 calendar days for deeper testing with SOC 2 evidence included.

What is in scope for a web application pentest at Cybersecify?

A web application pentest scope at Cybersecify covers six layers in 7 to 10 calendar days. Authentication (login, MFA, password reset, session lifetime, account lockout, social login flows), authorization (horizontal IDOR, vertical privilege escalation, tenant isolation in multi-tenant SaaS, role-based access enforcement), input validation (SQL injection, NoSQL injection, command injection, server-side template injection, XXE, file upload, path traversal), client-side (reflected XSS, stored XSS, DOM XSS, CSRF, postMessage abuse, client-side prototype pollution), business logic (workflow bypass, race conditions, price manipulation, coupon stacking, replay), and infrastructure (security headers, TLS configuration, error-message disclosure, rate limiting, CORS). Out of scope: physical layer, social engineering, denial-of-service against production, third-party SaaS we have no testing authorization for.

Do you follow OWASP WSTG v5.0 for web application pentesting?

Yes. Cybersecify web application pentests follow OWASP Web Security Testing Guide v5.0 as the methodology baseline, supplemented by PTES (Penetration Testing Execution Standard) for the engagement lifecycle and OWASP ASVS Level 2 as the verification standard. We cover the full OWASP Top 10 2021 (A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Logging and Monitoring Failures, A10 Server-Side Request Forgery) plus business-logic categories that automated scanners miss. Reports cite WSTG test IDs (WSTG-AUTH-01, WSTG-SESS-03, etc) per finding so engineering teams can cross-reference remediation guidance directly with the OWASP source.

Do you do authenticated or unauthenticated web app pentests?

Both, depending on scope. Default Cybersecify engagement is greybox: you provide one test account per role (admin, regular user, read-only, etc, typically 2 to 4 accounts) and we exercise the authenticated attack surface. We also run an unauthenticated pass against the login surface, password reset, public API endpoints, signup flow, and any pages reachable without authentication. Pure blackbox (no credentials) is available but produces lower-value findings on modern SaaS because the bulk of the attack surface sits behind login; we recommend it only when buyer requires it for compliance reasons. Pure whitebox (full source code review + pentest) is available at custom scope; most buyers do not need it.

How do you test multi-tenant SaaS tenant isolation in a web app pentest?

Multi-tenant isolation is the highest-severity finding category on B2B SaaS web apps. Specific tests at Cybersecify: we create two tenant accounts (tenant A and tenant B, both paid plans) and systematically attempt cross-tenant access on every API endpoint, every database query parameter, every file download URL, every webhook callback URL, every search result, every export endpoint. We test object IDs (can tenant A read tenant B object by guessing the ID), tenant ID fields in JWT or session cookies (can we forge the tenant ID), shared object stores (S3 prefix isolation), and shared search indexes (Elasticsearch tenant scoping). We also test admin-impersonation features (if your app has a customer-support-impersonates-customer flow, can it be abused to access tenants you should not). Tenant-isolation findings on SaaS pentests are typically Critical severity.

Do you find business-logic vulnerabilities that scanners miss?

Yes. Business-logic flaws are the primary value of a Cybersecify pentest over an automated scan. Scanners find SQL injection and XSS; humans find business logic. Examples we surface regularly: race conditions in checkout (apply coupon twice in 5ms), price manipulation in JSON payload (change cart total client-side), workflow bypass (skip MFA setup by going directly to the post-MFA URL), referral abuse (sign up with own referral code), credit balance manipulation in support ticket workflow, OAuth state-parameter bypass in account-linking flow, time-based race in invitation acceptance. These require understanding what your product does, not just running a tool against it. Engagement scoping conversation captures the business-logic surface to focus testing.

What does the retest scope cover after a web app pentest?

Every Cybersecify pentest includes 1 free retest within 30 days of report delivery. Retest scope: we re-test every finding marked Critical, High, or Medium in the report, plus any Low-severity finding the buyer explicitly asks us to re-verify. We do not re-test fixes for findings the buyer chose not to remediate (those carry over to the final report as accepted-risk items). Retest takes 1 to 3 business days depending on finding count. Retest delivers a delta report (Fixed / Still Vulnerable / Partial Fix / Accepted Risk) per finding. If a finding regressed during fix (introduced a new vulnerability while patching the old one), the new finding is added to the delta report at no extra charge. Retest beyond the 30-day window is INR 25,000 per round.

Is your web app pentest report audit-acceptable for SOC 2 and ISO 27001?

Yes. Web app pentest reports follow PTES + OWASP WSTG v5.0 + OWASP ASVS Level 2. Reports produce technical + executive summaries with reproduction steps, business impact in plain language, CVSS v3.1 scoring, and remediation guidance specific to your tech stack. The Growth Pentest plan adds explicit SOC 2 Trust Services Criteria (CC6.6 Protection Against External Threats, CC6.7 Restricted Transmission, CC6.8 Controls Against Unauthorized Software, CC7.1 Vulnerability Detection, CC7.2 Anomaly Monitoring) + ISO 27001 Annex A control mapping per finding (A.8.8 Management of technical vulnerabilities, A.8.25 Secure development lifecycle, A.8.26 Application security requirements, A.8.28 Secure coding). Reports have been accepted by SOC 2 Type 1, SOC 2 Type 2, and ISO 27001 auditors. The Growth plan includes a separate Letter of Attestation signed by the Lead Pen Tester (OSCP) for buyer onboarding evidence.

How much does a web application pentest cost in India?

Web application pentest is one scope. Cybersecify pricing: Startup Pentest INR 74,999 (single web app scope, 7 calendar days, OWASP WSTG v5.0 coverage, audit-acceptable report, 6 founder consulting hours useable within 6 months from kickoff, 1 free retest within 30 days). Growth Pentest INR 1,79,999 (2 scopes typically web app + API or web app + cloud, 10 calendar days, SOC 2 + ISO 27001 audit-prep evidence with control mapping per finding, 12 founder consulting hours useable within 12 months from kickoff, Letter of Attestation signed by Lead Pen Tester, 1 free retest). International pricing parity: Startup ~USD 900 / ~EUR 830, Growth ~USD 2,150 / ~EUR 1,990 at snapshot FX. All prices exclude taxes.

Do you cover DPDP Act compliance overlap in web app pentests?

Yes for technical-controls findings, partial for documentation. DPDP Act 2023 Section 8 mandates "reasonable security safeguards" for personal data; web app pentest findings that touch personal-data handling (authentication weakness exposing user data, IDOR exposing other-tenant PII, insecure file uploads of identity documents, leakage of email or phone in API responses, insufficient encryption-in-transit) are flagged with a DPDP overlap tag in Growth Pentest reports. We do not perform a standalone DPDP audit as part of pentest scope; that lives in our separate Audit + Compliance service. However, the pentest report can be used as evidence that "reasonable security safeguards" were technically tested, which is one input to a DPDP compliance position. We also flag DPDP Section 9 (children data) handling if your app processes data of users under 18.

Why outsource web app pentesting instead of doing it in-house?

Three reasons buyers consistently cite for outsourcing to Cybersecify. (1) Compliance independence: SOC 2 and ISO 27001 auditors prefer external pentest evidence because in-house testers lack adversarial independence (your own developers know your blind spots and tend to not surface them). (2) Tooling and methodology: external firms have invested in pentest-specific tooling (Burp Suite Pro, custom Frida/MobSF rigs, OWASP WSTG checklist coverage, OSCP-trained methodology) that an in-house engineer building their first pentest would take 6 to 12 months to assemble. (3) Buyer + investor trust: a third-party pentest report with a Lead Pen Tester signature carries credibility with enterprise buyers and Series A+ investors that an in-house report does not. The 4 buyer triggers we see: compliance audit deadline, investor diligence requirement, enterprise customer onboarding security questionnaire, and post-incident fear (we got breached or saw a competitor get breached).

Do you provide a Letter of Attestation after a web app pentest?

Yes for the Growth Pentest plan. The Letter of Attestation is a 1-page signed letter from the Lead Pen Tester (Rathnakara GN, OSCP) attesting to the engagement scope, the methodology (PTES + OWASP WSTG v5.0 + ASVS Level 2), the testing window dates, the final severity-graded finding summary, and the remediation status as of report delivery. It references ISO 27001:2022 Annex A.8.8 + A.8.29 and Clause 9.1 + 10.2 for buyer audit evidence. The Startup Pentest plan does not include the Letter; it is a Growth-plan deliverable. Buyers use the Letter as supplementary evidence in security questionnaires, vendor risk assessments, and audit-prep packages where the full pentest report cannot be shared due to sensitivity.

Ready to secure your web application?

Pentest packages from INR 74,999 (~$900 / ~€830). Includes consulting hours + 1 free retest within 30 calendar days. Both founders on every engagement: Rathnakara (OSCP) leads testing, Ashok handles delivery + compliance.