← Back to main site
← Services

Web Application Penetration Testing

Manual penetration testing of web applications (SPAs, server-rendered apps, auth flows) using OWASP methodology. For CTOs and engineering leads who need evidence-based findings and clear remediation before a release or audit. Suitable for SaaS and fintech product teams.

Pricing: €4,000 – €12,000

Service overview

  • Manual, human-led testing of web applications against OWASP Top 10 and common attack patterns.
  • For CTOs, engineering leads, and product teams at SaaS and fintech companies preparing for launch, audit, or customer due diligence.
  • Solves: unknown vulnerabilities in auth, access control, and input handling; need for evidence-based findings and prioritised remediation.

Typical security risks discovered

  • Broken access control: IDOR, horizontal or vertical privilege escalation, insecure direct object references.
  • Injection: SQL, NoSQL, command, LDAP, or template injection leading to data loss or system compromise.
  • Broken authentication: session fixation, weak credential policies, missing MFA, predictable session tokens.
  • Sensitive data exposure: unencrypted data in transit or at rest, weak TLS, or data in client-side storage.
  • Security misconfiguration: default credentials, verbose errors, unnecessary features or endpoints enabled.
  • Insufficient logging and monitoring: missing audit trails for auth and access, no alerting on anomalies.

Assessment scope

  • Authentication and session management (login, logout, password reset, MFA, session handling).
  • Authorization and access controls (role checks, resource ownership, API and UI access).
  • Input validation and injection (all user-controlled inputs, file upload, headers).
  • Business logic (workflows, rate limits, quotas, payment or state transitions).
  • Sensitive data handling (PII, secrets, tokens in responses and storage).
  • Configuration and deployment (headers, TLS, error messages, debug modes).

Deliverables

  • Executive summary with risk overview and business impact.
  • Technical report with findings, CVSS or equivalent severity, steps to reproduce, and evidence.
  • Proof-of-concept or minimal exploit for critical and high findings where useful.
  • Remediation guidance with concrete steps and references (e.g. OWASP, CWE).
  • Optional re-test after fixes to confirm remediation.

Expected outcomes

  • A clear list of vulnerabilities with severity and business context, not just tool output.
  • Actionable remediation so engineering can prioritize and fix.
  • Reduced risk of breach or compliance findings; evidence of due diligence for audits or customers.
  • Optional re-test to validate that critical and high issues are resolved.
Request a consultation

Support my work

If my articles, case studies, or security resources helped you, you can support my work. Your support helps me maintain free content and keep publishing practical security guides.

Revolut

Quick support in seconds.

Buy me a spritz

Bank transfer (EUR)

If you prefer a traditional bank transfer, request IBAN and bank details via the contact form

Request bank details

Support is optional. For consulting or security work, please use the Services or Contact pages.