Web Application Penetration Testing

Expert web app penetration testing performed by certified penetration testers.

What is Web Application Penetration Testing?

Web application penetration testing is a point-in-time security assessment of a web application and web server. The web application assessment is a consultant lead manual security test, helping identify security issues with all core application functionality (detailed below). Testing provides clear remediation instructions for discovered security issues, allowing your team to fix any discovered issues.


Web Application Penetration Testing Summary:

  • Carefully scoped assessment
  • Methodology is based on the OWASP testing framework
  • File upload testing
  • Multiple level authentication testing
  • Manual security assessment that leverages best in industry automated tools
  • Immediate notification of critical vulnerabilities
  • Severity ordered report
  • Clear easy to understand reports
web application penetration testing

Aptive’s Web Application Penetration Testing Services

Our internal web application penetration testing methodology is based from the OWASP testing methodology (Open Web Application Security Project), covering all areas of the OWASP top 10. Additionally our methodology base includes Open Source Security Testing Methodology Manual – OSSTMM and the Penetration Testing Execution Standard – PTES. Our full web app penetration testing methodology is available on request.

Web App Security Testing FAQ

TypeStarting PriceDescription
Web Application£2,000Price for a manual web application penetration test for a single web application consisting of less than 100 static/dynamic pages, 3 levels of authentication. The web app security test includes file upload testing and all areas of the OWASP testing methodology.
Web Application 2£3,000Price for a manual web application penetration test for a single web application consisting of less than 200 static/dynamic pages, 5 levels of authentication. The web app security test includes file upload testing and all areas of the OWASP testing methodology.
Web application penetration testing typically takes a week for a smaller web application of the following specification:
  • Single Authentication System
  • 3 Account (ACL) Access Testing
  • File Upload Testing
  • Less than 100 pages
The Open Web Application Security Project (OWASP) penetration testing refers to web application penetration testing that follows the OWASP web app penetration testing methodology.
The OWASP organisation is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

The OWASP top 10 are listed below:

  • OWASP Top 10
  • A1    Injection
  • A2    Broken Authentication and Session Management
  • A3    Cross-Site Scripting (XSS)
  • A4    Insecure Direct Object References
  • A5    Security Misconfiguration
  • A6    Sensitive Data Exposure
  • A7    Missing Function Level Access Control
  • A8    Cross-Site Request Forgery (CSRF)
  • A9    Using Components with Known Vulnerabilities
  • A10    Unvalidated Redirects and Forwards

In short the OWASP top 10 represents the top 10 most critical web application security issues and vulnerabilities.

OWASP penetration testing, typically refers to a web application penetration test that uses a methodology based on the OWASP testing guide, which is regarded as an industry approved web application security testing methodology.
Yes, by our definition website penetration testing is the same service as web application penetration testing. Almost all modern websites are web applications, meaning they perform functions and render dynamic pages typically from back end databases. A CMS is a good example of a web application. Such as WordPress, Joomla, Drupal or in house web applications built from scratch or using opensource frameworks and libraries.
Web application penetration testing is a service which is refereed to with a number of different names, listed below:
  • Web App Penetration Testing
  • Web App Pentesting
  • Web App Pen Testing
  • Web Application Security Testing
  • Web App Security Assessment
  • Website Penetration Testing
  • Web Penetration Testing
  • Website Pen Testing
After the scoping process, a security consultant will assess the web application for security issues, report on the security issues and deliver the final report with clear remediation instructions documented. After remediation work is completed by the client a free retest is conducted by Aptive, helping ensure the previously reported security issues are resolved.
No, In the interest of optimising testing time and identifying as many security issues as possible clients have the option to make the web application source code available. But the assessment is not a full source code audit / code review.
Web Application Penetration Testing is a Grey Box penetration test, a combination of white & black box testing. Meaning that some knowledge of the environment and test accounts are provided to assist the testing process and the assessment is typically assessed from a user prospective.

More Questions?

Why use Aptive for Penetration Testing

CREST Registered Testers

Penetration testing performed by CREST registered penetration testers.

OWASP Members

All our testers are members of OWASP.

OWASP Testing Methodology

Aptive performs penetration testing based on the OWASP testing methodology.

Easy to Understand Reports

Discovered security issues in severity order with remediation instructions.

Fixed Price Proposals

Transparent costs and fixed price proposals, giving you peace of mind.

Custom Penetration Testing

Custom Penetration Testing tailored to your business requirements.

  1. Scoping
    Working with you to identify all systems / applications that need testing.

  2. Web App Penetration Testing
    Hands on penetration testing is completed by our CREST accredited team, this process uses a large range of attack methodologies.

  3. Reporting
    Delivering a clear easy to understand severity ordered report, detailing identified issues and associated remediation steps.

  4. Debrief
    Further explanation and demonstrations of vulnerabilities / exploits.

  5. Re-testing
    Free re-testing is included with all our services, helping your business reduce security risks.

Why perform Web Application Penetration Testing?

Real-world attack simulation

Execute a real-world attack and understand the level of risk that exists at a single moment in time.

Confirm Findings

Complement your automated scanning to better identify and validate all security vulnerabilities.

Management Understanding

Provide management with an understanding of the level of risk introduced by the web application.

Plan Mitigation

Plan a cost-effective and targeted mitigation approach from idenitified security issues.

Regulatory Requirements

Various standards such as ISO27001 and PCI DSS require a penetration test.

Information Security Strategy

Create a foundation for future decisions regarding information security strategy and resource allocation.



Sources: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents