Pentest Web
Your web apps and APIs carry business logic that an automated scanner cannot probe.
We test your web applications and APIs the way an attacker would: injections, access control, authentication, data exposure. Every exploitable flaw is demonstrated with concrete proof, then prioritised by its real impact on your business. You leave with a clear remediation plan, not a raw list of alerts.
France Cybersecurity Label The web attack surface
A web application is a living surface, not a fixed perimeter
Every endpoint, every parameter, every API call and every user role widens the surface an attacker can probe. Modern frameworks do not neutralise business logic: a missing access check, a tamperable identifier or a bypassable workflow stay invisible to automated tools. Our penetration test draws on the OWASP Top 10, ASVS and WSTG references without being limited to them: we reason as attackers to expose the chains of flaws that lead to a real compromise.
What we test
Four families of flaws, tested by hand
Injections and server-side execution
SQL and NoSQL injection, command injection, template injection (SSTI), SSRF and unsafe deserialisation. We look for the points where user input reaches an interpreter, a query or an internal network call without sufficient validation.
Access control and business logic
IDOR/BOLA, horizontal and vertical privilege escalation, workflow bypass. We verify that every object and every action is tied to the authorised user, rather than loaded by identifier with no ownership check.
Authentication and session management
Password weaknesses, JWT token handling, OAuth/OIDC and SSO flows, bypassable MFA. We probe sign-up, login, password reset and session lifetime to surface account takeover paths.
APIs, XSS and data exposure
REST and GraphQL APIs (exposed introspection, field over-exposure, missing rate or query-depth limits), stored, reflected and DOM-based XSS, leakage of sensitive data and secrets in responses, client code or error messages.
Frequently asked questions
Web pentest: what to know before you start
How long does a web application pentest take?
Duration depends on scope: the number of endpoints, user roles and sensitive features. A mid-sized application usually requires five to ten days of testing. We calibrate the effort during scoping, once we have counted the user journeys and account types to cover.
Do we need to provide access and source code?
It depends on the chosen approach. In black box, we start with no privileged information. In grey box, the most common approach, you provide test accounts for each role, which lets us cover access control in depth. In white box, access to the source code sharpens the search for flaws. We usually recommend grey box for the best coverage-to-duration ratio.
How is this different from an automated vulnerability scan?
A scanner detects known patterns: outdated versions, missing headers, signatures of published vulnerabilities. It understands neither your business logic nor your authorisation rules, and cannot chain several minor flaws into a full compromise. We use tooling for coverage, then manual exploitation for the IDORs, workflow bypasses and privilege escalations that no scanner finds.
Other domains
Explore our other penetration tests
Pentest Mobile
Find the flaws in your iOS and Android app before an attacker exploits them.
Pentest IoT
Before you ship, find out what an attacker can do with your connected device.
Pentest Cloud
One over-permissive IAM role or an open bucket is enough to compromise your whole cloud.
Pentest LLM
Your LLM applications open an attack surface that your usual tests do not cover.
Penetration testing overviewWould your application hold up against an attacker?
Tell us about your web scope and we will send you a costed quote within 48h.