Updated: 2026-01-26

Request a pentest

Typical scope

  • Web app + API
  • Network / AD
  • Cloud / Kubernetes
  • Red team

Resources

Browse providers

Penetration Testing

Web Application Penetration Testing

Pentest for Web Apps & APIs – Auth, Business Logic, OWASP & API Security

A Web Application Pentest assesses web applications and APIs for real-world attack vectors — focusing on authentication, authorization, business logic, and common web/API risks (OWASP).

The goal is not “scan output”, but answering one key question:

Which vulnerabilities are actually exploitable — and what’s the fastest way to fix them?

Recommended before go-live, major releases, external requirements (e.g. customers, audits, security questionnaires), or whenever your application is internet-facing.

Request Web App Pentest

Pentest Overview

Business Logic Focus

Abuse scenarios & logic flaws — where scanners usually fail.

🔐 Auth & Roles

Sessions, 2FA, RBAC/ABAC, token flows, access control testing.

Fix-first Priorities

Reproduction + concrete remediation guidance so dev teams can ship fast.

What is a Web Application Pentest?

A web application pentest combines manual testing with targeted verification of automated findings. The goal is to uncover exploitable vulnerabilities and prove them clearly — including attack paths and impact.

Typical attacks (depending on scope):

  • Broken Access Control (IDOR, role/permission issues)
  • Authentication/session issues (tokens, cookies, SSO)
  • Injection (SQL/NoSQL/Command/Template)
  • XSS, CSRF, SSRF
  • API security (BOLA, Mass Assignment, Rate Limits)
  • File upload / deserialization (if relevant)
  • Business logic abuse (e.g. price/discount/workflow manipulation)

Is this relevant for you?

Typical triggers

  • Go-live / launch of a web app or API
  • Major release (auth, payments, role model, admin area)
  • Internet-facing application with sensitive data
  • Enterprise customers require pentest evidence
  • Compliance / security questionnaires / audits
  • Security incident or bug bounty findings

Common risks

  • IDOR / broken access control (most common real-world failure)
  • Token/session issues (fixation, leakage, weak rotation)
  • SSRF → cloud metadata / internal networks
  • Rate limiting / abuse (credential stuffing, enumeration)

  • Business logic (discounts, limits, state changes, privilege paths)

Typical Scope

Auth & Session
  • Login, registration, password reset
  • Sessions/cookies, token flows (JWT/OAuth)
  • 2FA / MFA (if in scope)
  • SSO/identity provider (optional)
Authorization (Access Control)
  • Role logic (RBAC/ABAC)
  • IDOR / object references
  • Admin functions & privilege escalation
  • Multi-tenant isolation
Business Logic
  • Workflow manipulation (state, limits, approvals)
  • Price/discount/checkout abuse
  • Race conditions (e.g. duplicate transactions)
  • Abuse scenarios (scraping, enumeration, fraud)
OWASP & API Security
  • Injection, XSS, SSRF, CSRF
  • Security headers, CORS, Content Security Policy (CSP)
  • API: BOLA, mass assignment, rate limits
  • Upload/deserialization (if relevant)

Web Pentest vs Vulnerability Scan

Scans are useful — but they don’t replace a pentest.

Web Application PentestVulnerability Scan
Manual testing & business logic abuseAutomated detection
Proof: exploitable + impactIndicators / potential vulnerabilities
Prioritized by exploitabilityPrioritized by rules/CVSS
Concrete remediation guidanceTool output (often without context)

Process

1) Scope

URLs, APIs, roles, goals, out-of-scope

2) Setup

Test accounts, staging/prod rules, time windows

3) Mapping

Attack surface, endpoints, flows

4) Testing

Auth, access control, logic, OWASP, API

5) Report

Findings, priorities, remediation

6) Debrief

Walkthrough, Q&A, action plan

Typical duration: 3–10 business days (depending on number of apps, role model, API scope, and business logic).

Deliverables

Executive Summary

Risk overview for decision-makers, prioritized top risks.

Technical Report

Reproduction steps, screenshots, PoCs (where appropriate), clear evidence.

Attack Paths

How an attacker moves from A to B – including impact.

Remediation Guidance

Concrete recommendations, often with code/config references.

Optional: Retest / Verification

Verification of fixes — useful for enterprise customers or compliance requirements.

Typical Costs

Small

1 app, few roles, limited APIs

€5,000–10,000

Medium

multiple flows, admin area, broader APIs

€10,000–20,000

Complex

multi-tenant, many roles, critical logic

from €20,000

What affects effort?
  • Number of apps/URLs/endpoints
  • Role model & auth variants (SSO/OAuth/2FA)
  • Business logic complexity (payments, workflows, limits)
  • Staging vs production (monitoring, rules, test windows)
  • Retest / verification

Preparation & Access

Required
  • URL list (web app, admin, API base URLs)
  • Test accounts per role (at least one each)
  • Auth details (SSO/OAuth/2FA) & flows
  • Test windows / rules (staging preferred, prod possible)
Operational Safety
  • No DoS testing by default
  • Alignment on sensitive functions (payments, emails, exports)
  • Logging/monitoring during production tests
  • Emergency stop & escalation contacts

FAQ

Do you also test APIs?

Yes. APIs are typically included if in scope. We test access control (BOLA), rate limits, mass assignment, and token flows.

Is an OWASP scan enough?

No. Scans provide indicators, but business logic and real exploit paths require manual testing and verification.

Do you need a staging environment?

Staging is recommended. Production is possible if rules, monitoring, and abort procedures are clearly defined.

How many test accounts are required?

At least one account per role. Ideally realistic permissions, and separate accounts for admin/support/standard users.

What about 2FA/MFA?

2FA can be tested. Typically via an agreed test setup (e.g. test devices, temporary exceptions, or backup codes).

Request Web App Pentest

Request Web App Pentest

Not sure which test type fits?

Request a pentest