Why Web Application Penetration Testing Matters

OWASP Top 10 Vulnerabilities

We test every category in the current OWASP Top 10 with manual techniques that go well beyond automated scanning:

• A01 Broken Access Control — IDOR, privilege escalation, path traversal, missing function-level authorisation
• A02 Cryptographic Failures — Weak encryption, plaintext transmission of sensitive data, insecure key storage
• A03 Injection — SQL injection, NoSQL injection, LDAP injection, command injection, XPath injection
• A04 Insecure Design — Missing threat model controls, design-level trust boundary failures
• A05 Security Misconfiguration — Default credentials, verbose errors, unnecessary features, cloud storage exposure
• A06 Vulnerable Components — Outdated libraries, unpatched frameworks, dependency confusion
• A07 Authentication Failures — Credential stuffing, brute force, weak session management, insecure password reset flows
• A08 Software & Data Integrity Failures — Insecure deserialization, CI/CD pipeline integrity, unsigned update mechanisms
• A09 Logging & Monitoring Failures — Identifying gaps that would allow an attacker to operate undetected
• A10 Server-Side Request Forgery — Cloud metadata endpoint access, internal network pivoting via SSRF chains

API Security — REST, GraphQL, gRPC

Modern applications expose enormous attack surface through their APIs. We test against the OWASP API Security Top 10 and beyond, covering REST, GraphQL, and gRPC endpoints:

• Broken Object Level Authorization (BOLA/IDOR) — accessing other users' resources by manipulating IDs
• Broken Function Level Authorization — accessing admin endpoints as a low-privilege user
• Mass Assignment — exploiting auto-binding to elevate privileges or modify protected fields
• GraphQL-specific attacks: introspection abuse, batching attacks, circular query DoS, field-level authorisation bypasses
• gRPC reflection enumeration and proto-based injection patterns
• API versioning abuse — older, less-hardened API versions exposing sensitive functionality
• Excessive data exposure — endpoints returning unnecessary sensitive fields to lower-privilege users

Microservices Architecture Testing

Distributed microservices architectures create complex inter-service trust relationships that introduce unique security risks. We analyse how services authenticate to each other, whether internal APIs are as hardened as external-facing endpoints, and how data flows across service boundaries.

Our testing covers service mesh security, sidecar proxy misconfigurations, event-driven architecture attack patterns (message queue injection, consumer manipulation), and the risk of lateral movement through a compromised service. We also examine how secrets are shared across services and whether container orchestration platforms (Kubernetes, ECS) are hardened against container escape and privilege escalation.

Authentication & Authorisation — OAuth 2.0, OIDC, SAML, JWT

Broken authentication is consistently one of the highest-impact vulnerability classes. We test the full identity stack with deep expertise in modern authentication protocols:

• OAuth 2.0 — CSRF on authorisation endpoint, open redirect abuse, authorisation code interception, implicit flow token leakage, token replay, scope escalation
• OIDC — ID token manipulation, nonce bypass, sub claim spoofing, misconfigured JWKS endpoints
• SAML — XML signature wrapping attacks, XXE in SAML responses, assertion replay, SP-initiated SSO bypass
• JWT — Algorithm confusion (RS256 to HS256), none algorithm abuse, weak secret brute force, kid header injection, jwk injection attacks
• Multi-factor authentication bypass — SIM swapping exposure, OTP brute force, backup code weaknesses, MFA fatigue attacks
• Session management — session fixation, insecure session storage, improper session invalidation on logout

Server-Side Request Forgery (SSRF)

SSRF has become one of the most impactful vulnerability classes in cloud-hosted applications. A single SSRF vulnerability can expose AWS, Azure, or GCP instance metadata endpoints — enabling an attacker to steal IAM credentials, access internal services, and pivot into cloud infrastructure with minimal effort.

We test for basic and blind SSRF across every parameter that triggers server-side HTTP requests: URL parameters, webhook endpoints, PDF generators, image processors, XML parsers, and import/export features. We also test for DNS rebinding and time-of-check/time-of-use race condition bypasses in SSRF filters. In cloud environments, we validate whether IMDSv2 enforcement and SSRF mitigations are actually effective.

Business Logic Flaws

Business logic flaws are the vulnerabilities that no scanner will ever find — they require a human tester who invests time understanding how your application is supposed to work before probing what happens when the intended flow is subverted. These are often the highest-impact findings in an engagement.

Examples from real engagements: negative quantity purchases, coupon stacking to achieve zero-cost checkouts, skipping payment steps entirely, transferring funds between accounts without proper ownership verification, privilege escalation through account linking flows, bypassing account verification during registration, and abusing "trust score" or reputation systems. We approach your application from the perspective of a motivated attacker who has read your feature documentation.

Deserialization Attacks

Insecure deserialization vulnerabilities can lead directly to remote code execution — often with no authentication required. We identify all deserialization entry points in your application and test them with targeted gadget chains appropriate to the platform and framework in use.

Our testing covers Java deserialization (Commons Collections, Spring, Hibernate gadget chains using ysoserial), .NET deserialization (BinaryFormatter, ViewState, JSON.NET TypeNameHandling abuse), PHP object injection via magic methods (__wakeup, __destruct), Python pickle deserialization, and YAML/XML deserialization attacks. We also test for second-order deserialization where payloads are stored and later triggered by an administrative or background process.

Race Conditions

Race conditions — particularly the "limit overrun" subclass — are chronically underreported by automated tools because they require concurrent request timing that scanners do not perform. We use HTTP/2 single-packet attacks (as documented in PortSwigger's research) to reliably reduce network jitter and achieve the precise timing windows required to trigger these vulnerabilities at scale.

Common exploitable scenarios we test: redeeming a gift card or discount code multiple times in a single window, exceeding API rate limits that rely on read-then-write patterns, double-spending wallet balances, racing password reset token generation, and multi-step workflow abuse where concurrent submissions cause inconsistent state. We also test for TOCTOU (time-of-check/time-of-use) vulnerabilities in file operations and authorisation checks.

File Upload Vulnerabilities

File upload functionality is one of the most commonly misconfigured features in web applications and one of the most direct paths to remote code execution. We test every upload endpoint for weaknesses in content-type validation, extension filtering, MIME type checking, and file content inspection.

Our testing covers: web shell upload via extension bypass techniques (double extensions, null bytes, polyglot files), bypassing client-side and server-side content-type checks, path traversal via filename manipulation to write files to unintended locations, stored XSS via SVG and HTML file uploads, XXE via office document uploads, and SSRF triggered through file processing pipelines (PDF generators, image libraries, document converters). We also verify that uploaded files are stored outside the webroot and served from isolated domains where appropriate.