Manual, research-driven penetration testing of web applications, REST and GraphQL APIs, and microservices, every finding proven with working exploit code. Delivered by Arturs Stay, CREST-certified and OSCP/OSEP with 20+ years of enterprise technology and cybersecurity experience.
Web application penetration testing is the manual, hands-on assessment of web apps, REST and GraphQL APIs, and microservices for exploitable vulnerabilities. At Cyber Security Pentesting Inc. (CSPI), every web app engagement is delivered by a CREST-certified, OSCP/OSEP principal consultant, no automated scanner output dressed up as a report. Coverage spans the full OWASP Top 10 plus business logic flaws, OAuth/OIDC/SAML/JWT attacks, SSRF chains into cloud metadata, deserialization, race conditions, and file upload abuse. Typical engagement: 2-4 weeks for a single application, 3-6 weeks for multi-tenant or multi-application scope. Reports are dual-audience (executive + technical) and mapped to OWASP, NIST, PCI-DSS, SOC 2, and PIPEDA control frameworks. Free remediation re-test included.
Why Web Application Penetration Testing Matters
Web applications are the most targeted attack surface in the modern enterprise. Automated scanners and DAST tools catch the obvious, they miss the business logic flaws, authentication bypasses, and chained vulnerabilities that real attackers exploit. At Cyber Security Pentesting Inc., every engagement is conducted manually by a senior principal consultant, not a junior analyst running a tool. We approach your application the way a skilled adversary would: with curiosity, patience, and deep technical knowledge of how applications break under pressure.
Our web application security assessments go beyond the OWASP Top 10 checklist. We map your entire attack surface, understand your authentication flows, reverse-engineer your API contracts, and probe every trust boundary until we find what matters. Every critical and high-severity finding includes a working proof-of-concept demonstrating real business impact, not theoretical risk.
What We Test
Our web application penetration testing covers every major vulnerability class, from well-known OWASP categories to nuanced, application-specific attack patterns that automated tools routinely miss.
OWASP Top 10 Vulnerabilities
We test every category in the current OWASP Top 10 with manual techniques that go well beyond automated scanning:
- A01 Broken Access Control, IDOR, privilege escalation, path traversal, missing function-level authorisation
- A02 Cryptographic Failures, Weak encryption, plaintext transmission of sensitive data, insecure key storage
- A03 Injection, SQL injection, NoSQL injection, LDAP injection, command injection, XPath injection
- A04 Insecure Design, Missing threat model controls, design-level trust boundary failures
- A05 Security Misconfiguration, Default credentials, verbose errors, unnecessary features, cloud storage exposure
- A06 Vulnerable Components, Outdated libraries, unpatched frameworks, dependency confusion
- A07 Authentication Failures, Credential stuffing, brute force, weak session management, insecure password reset flows
- A08 Software & Data Integrity Failures, Insecure deserialization, CI/CD pipeline integrity, unsigned update mechanisms
- A09 Logging & Monitoring Failures, Identifying gaps that would allow an attacker to operate undetected
- A10 Server-Side Request Forgery, Cloud metadata endpoint access, internal network pivoting via SSRF chains
API Security: REST, GraphQL, gRPC
Modern applications expose enormous attack surface through their APIs. We test against the OWASP API Security Top 10 and beyond, covering REST, GraphQL, and gRPC endpoints:
- Broken Object Level Authorization (BOLA/IDOR), accessing other users' resources by manipulating IDs
- Broken Function Level Authorization, accessing admin endpoints as a low-privilege user
- Mass Assignment, exploiting auto-binding to elevate privileges or modify protected fields
- GraphQL-specific attacks: introspection abuse, batching attacks, circular query DoS, field-level authorisation bypasses
- gRPC reflection enumeration and proto-based injection patterns
- API versioning abuse, older, less-hardened API versions exposing sensitive functionality
- Excessive data exposure, endpoints returning unnecessary sensitive fields to lower-privilege users
Microservices Architecture Testing
Distributed microservices architectures create complex inter-service trust relationships that introduce unique security risks. We analyse how services authenticate to each other, whether internal APIs are as hardened as external-facing endpoints, and how data flows across service boundaries.
Our testing covers service mesh security, sidecar proxy misconfigurations, event-driven architecture attack patterns (message queue injection, consumer manipulation), and the risk of lateral movement through a compromised service. We also examine how secrets are shared across services and whether container orchestration platforms (Kubernetes, ECS) are hardened against container escape and privilege escalation.
Authentication & Authorisation: OAuth 2.0, OIDC, SAML, JWT
Broken authentication is consistently one of the highest-impact vulnerability classes. We test the full identity stack with deep expertise in modern authentication protocols:
- OAuth 2.0, CSRF on authorisation endpoint, open redirect abuse, authorisation code interception, implicit flow token leakage, token replay, scope escalation
- OIDC, ID token manipulation, nonce bypass, sub claim spoofing, misconfigured JWKS endpoints
- SAML, XML signature wrapping attacks, XXE in SAML responses, assertion replay, SP-initiated SSO bypass
- JWT, Algorithm confusion (RS256 to HS256), none algorithm abuse, weak secret brute force, kid header injection, jwk injection attacks
- Multi-factor authentication bypass, SIM swapping exposure, OTP brute force, backup code weaknesses, MFA fatigue attacks
- Session management, session fixation, insecure session storage, improper session invalidation on logout
Server-Side Request Forgery (SSRF)
SSRF has become one of the most impactful vulnerability classes in cloud-hosted applications. A single SSRF vulnerability can expose AWS, Azure, or GCP instance metadata endpoints, enabling an attacker to steal IAM credentials, access internal services, and pivot into cloud infrastructure with minimal effort.
We test for basic and blind SSRF across every parameter that triggers server-side HTTP requests: URL parameters, webhook endpoints, PDF generators, image processors, XML parsers, and import/export features. We also test for DNS rebinding and time-of-check/time-of-use race condition bypasses in SSRF filters. In cloud environments, we validate whether IMDSv2 enforcement and SSRF mitigations are actually effective.
Business Logic Flaws
Business logic flaws are the vulnerabilities that no scanner will ever find, they require a human tester who invests time understanding how your application is supposed to work before probing what happens when the intended flow is subverted. These are often the highest-impact findings in an engagement.
Examples from real engagements: negative quantity purchases, coupon stacking to achieve zero-cost checkouts, skipping payment steps entirely, transferring funds between accounts without proper ownership verification, privilege escalation through account linking flows, bypassing account verification during registration, and abusing "trust score" or reputation systems. We approach your application from the perspective of a motivated attacker who has read your feature documentation.
Deserialization Attacks
Insecure deserialization vulnerabilities can lead directly to remote code execution, often with no authentication required. We identify all deserialization entry points in your application and test them with targeted gadget chains appropriate to the platform and framework in use.
Our testing covers Java deserialization (Commons Collections, Spring, Hibernate gadget chains using ysoserial), .NET deserialization (BinaryFormatter, ViewState, JSON.NET TypeNameHandling abuse), PHP object injection via magic methods (__wakeup, __destruct), Python pickle deserialization, and YAML/XML deserialization attacks. We also test for second-order deserialization where payloads are stored and later triggered by an administrative or background process.
Race Conditions
Race conditions, particularly the "limit overrun" subclass, are chronically underreported by automated tools because they require concurrent request timing that scanners do not perform. We use HTTP/2 single-packet attacks (as documented in PortSwigger's research) to reliably reduce network jitter and achieve the precise timing windows required to trigger these vulnerabilities at scale.
Common exploitable scenarios we test: redeeming a gift card or discount code multiple times in a single window, exceeding API rate limits that rely on read-then-write patterns, double-spending wallet balances, racing password reset token generation, and multi-step workflow abuse where concurrent submissions cause inconsistent state. We also test for TOCTOU (time-of-check/time-of-use) vulnerabilities in file operations and authorisation checks.
File Upload Vulnerabilities
File upload functionality is one of the most commonly misconfigured features in web applications and one of the most direct paths to remote code execution. We test every upload endpoint for weaknesses in content-type validation, extension filtering, MIME type checking, and file content inspection.
Our testing covers: web shell upload via extension bypass techniques (double extensions, null bytes, polyglot files), bypassing client-side and server-side content-type checks, path traversal via filename manipulation to write files to unintended locations, stored XSS via SVG and HTML file uploads, XXE via office document uploads, and SSRF triggered through file processing pipelines (PDF generators, image libraries, document converters). We also verify that uploaded files are stored outside the webroot and served from isolated domains where appropriate.
Our Methodology
Every web application engagement follows a structured, attacker-aligned methodology designed to maximise coverage while delivering actionable findings. No two applications are identical, we adapt our approach to your technology stack, authentication model, and risk profile.
RECON
Reconnaissance
Passive and active information gathering: technology fingerprinting, JavaScript source analysis, subdomain enumeration, API endpoint discovery via JS files and Wayback Machine, cloud asset identification, and open-source intelligence on your application's architecture and third-party integrations.
MAP
Attack Surface Mapping
Systematic crawling and manual browsing to map every endpoint, parameter, and data flow. We document all authentication entry points, session mechanisms, privilege tiers, and trust boundaries. API schemas are extracted and analysed. Business logic is understood before testing begins.
TEST
Vulnerability Testing
Methodical manual testing of every attack surface, prioritised by risk and impact. We work through each vulnerability class with purpose-built payloads, Burp Suite Pro extensions, and custom scripts. Every test is designed to answer: "Can this be exploited, and what is the real-world impact?"
EXPLOIT
Exploitation & Chaining
Where vulnerabilities exist, we exploit them to demonstrate maximum achievable impact. We chain low-severity findings into critical attack paths where possible, a stored XSS plus a CSRF bypass plus an admin endpoint equals account takeover, and that story matters for prioritisation. Every critical and high finding includes a working proof-of-concept.
REPORT
Reporting & Remediation
A detailed technical report is delivered within five business days of assessment completion. Every finding includes: severity rating (CVSS v3.1 score), clear technical description, reproduction steps, business impact narrative, and specific remediation guidance. A separate executive summary provides board-level risk context. We include a complimentary remediation review call to walk your development team through findings.
Standards & References
Our web application security testing methodology is grounded in recognised industry frameworks. All findings are mapped to relevant standards to support your compliance and risk management programmes.
OWASP Top 10
The industry-standard awareness document for the most critical web application security risks. Our assessments test every category in the current edition with manual techniques that go well beyond automated scanning.
owasp.org/www-project-top-10/ ↗OWASP Web Security Testing Guide (WSTG)
The comprehensive technical testing guide produced by OWASP. Our methodology maps directly to the WSTG test cases, providing full traceability from findings to testing procedures for your audit trail.
owasp.org/www-project-web-security-testing-guide/ ↗OWASP API Security Top 10
The definitive risk reference for API-specific vulnerabilities including BOLA, broken authentication, excessive data exposure, and lack of resource and rate limiting. All API testing is conducted against this framework.
owasp.org/API-Security/ ↗CWE / SANS Top 25 Most Dangerous Software Weaknesses
Published by MITRE, the CWE/SANS Top 25 catalogues the software weaknesses that most frequently lead to exploitable vulnerabilities. All findings in our reports include the relevant CWE identifier for developer remediation context.
cwe.mitre.org/top25/ ↗NIST SP 800-95, Guide to Secure Web Services
NIST Special Publication 800-95 provides guidance on securing web services, including XML-based services, SOAP, and REST. We reference this document for organisations operating under NIST CSF or FedRAMP-adjacent compliance requirements.
csrc.nist.gov/publications/detail/sp/800-95/final ↗Frequently Asked Questions
What does a typical web application penetration test cover?
OWASP Top 10 categories at minimum, but the engagements where we find the most material risk go further: business logic flaws, multi-step authorisation gaps, federated identity edge cases, API contracts the UI does not exercise, and integration boundaries between the application and its dependencies. We use authenticated and unauthenticated identities at multiple privilege tiers and replay operations across tenant boundaries.
How do you handle authenticated testing and credentials?
Customers provision low-privilege test accounts in their staging environment matching the identity tiers agreed during scoping. We use those accounts to enumerate function-level and object-level authorisation gaps. Where the application supports SSO, we test both federated and local identity paths. Credentials are stored in an engagement-specific vault and destroyed at the end of the engagement.
Do you test APIs as part of a web application engagement?
Yes. APIs are included in every web application engagement and can also be scoped as a standalone API security assessment. Coverage includes the documented API surface, intercepted SPA and mobile traffic, GraphQL schema and resolvers where applicable, and undocumented or legacy versions still routed by the gateway.
How long does a web application penetration test take?
Two weeks of testing time is typical for a contained single-application engagement with 30 to 80 endpoints and two identity tiers. Large multi-tenant applications with complex federated identity and many API surfaces usually need three to five weeks. The variable is identity complexity and number of state transitions, not page count.
How is the report structured?
Three layers: an executive summary mapped to business impact, a technical findings report with reproduction steps for every issue, and a private working document with raw request and response captures so engineering teams can reproduce findings without re-engaging the testers. Findings carry CVSS scoring, OWASP mapping, and compliance-framework references (PCI DSS, SOC 2, PIPEDA) where relevant.
Do you provide remediation re-testing?
Yes. Every engagement includes a remediation re-test within 60 days of the original report. We re-test each finding marked as closed by the customer and update the report. For complex remediation programs we work directly with engineering teams during fix design rather than waiting for a formal re-test pass.
Extend Your Coverage
Web application security does not exist in isolation. Pair this service with complementary assessments to achieve comprehensive enterprise security coverage.
Get a Free Web Application Security Consultation
Discuss your application architecture, define the right scope, and understand what a professional web application penetration test will uncover in your environment. No commitment required, just a direct conversation with a senior security consultant.
Book Your Free Consultation →- API Security Testing Beyond OWASP Top 10
- OAuth 2.0 Security Flaws & Token Leakage
- Deserialization Attacks in Modern Frameworks
- SSRF to Cloud Metadata Exploitation
- LLM Prompt Injection in Production Apps
- Hardcoded Secrets: Find, Rotate & Prevent
- What Is Penetration Testing? Complete Guide
- Penetration Testing Cost in Canada
Web Application Pentest vs Vulnerability Scan vs SAST vs DAST
Buyers often ask how a manual web application penetration test differs from automated scanning, static analysis (SAST), and dynamic application scanning (DAST). The honest comparison:
| Capability | Web App Pentest | Vulnerability Scan | SAST | DAST |
|---|---|---|---|---|
| Business logic flaws | Yes (core focus) | No | Limited | No |
| Authentication bypass chains | Yes | No | No | Limited |
| OAuth / SAML / JWT attacks | Yes | No | No | Limited |
| Multi-step exploitation chains | Yes | No | No | No |
| Race conditions (HTTP/2 single-packet) | Yes | No | No | No |
| Working proof-of-concept exploits | Yes | No | No | No |
| Coverage of API contracts (REST/GraphQL/gRPC) | Yes | Limited | No | Limited |
| Detection of OWASP Top 10 (A01-A10) | Yes (all) | Limited (A03, A06) | Limited (A03) | Limited (A01, A03, A07) |
| Typical engagement time | 2-4 weeks | Hours | Continuous | Hours-days |
| Cost (CAD, 2026 typical) | $15K-$50K | $1K-$8K/year | $5K-$30K/year | $3K-$15K/year |
| Audit value (SOC 2, PCI, ISO) | High, primary evidence | Supporting only | Supporting only | Supporting only |
Web Application Security Findings From Representative Engagement Patterns
Recurring findings across web application engagements, the categories automated scanners miss.
of web application engagements identify exploitable business logic flaws that automated DAST scanners cannot detect, including payment workflow bypasses, multi-step authorisation gaps, and federated identity edge cases.
of REST and GraphQL API surfaces tested expose at least one Broken Object Level Authorization (BOLA / IDOR) vulnerability when probed across tenant boundaries.
of OAuth 2.0 and OIDC integrations tested expose at least one exploitable misconfiguration, open redirect on authorisation endpoint, scope escalation, or JWT algorithm confusion.
Statistics reflect representative findings across CSPI penetration testing engagements for Canadian enterprises, aligned with published industry benchmarks (OSFI Cyber Self-Assessment 2023, IPC Ontario annual breach reports, Verizon DBIR 2024, M-Trends 2024). Percentages do not constitute disclosure of specific client engagement data. Numbers represent midpoint of documented industry ranges for each finding category.
Related reading
Explore further
Prefer email? Send a scoping request and we will respond with next steps.