Uncover vulnerabilities and poor security controls
Exploit web application
Expose insecure functionality in your app
Catch security design issues before it’s too late
Promoting industry best practices
By having our web application penetration testers all independently certified by industry-recognised organisations such as CREST and Tigerscheme, Bulletproof are demonstrating our commitment to championing best practices. In addition, all our website penetration services follow a clearly defined strategy, including detailed scoping, intel gathering, vulnerability analysis, and application exploitation.
Frequently asked questions
What is web application penetration testing?
What are the different types of web app test?
Whilst all web app penetration tests have the same goal of uncovering security weaknesses, there are different areas to consider:
- Authenticated tests analyse the security of your web app from a logged-in perspective. This is handy if you want to know what damage an attacker could do if they bypassed your login screen or phished user credentials.
- Unauthenticated tests mean that our penetration testers hunt for security weaknesses without access to user credentials. This replicates what a hacker would see, but doesn’t cover the security impact if a hacker bypassed your login screen.
- API tests are a vital component to include if your web application has an API. Penetration testing a web app’s API uses slightly different tools and techniques so is often included separately in the scope of a web app test.
Bulletproof recommend a blend of all 3 testing types to get the most value from your penetration testing engagement.
What vulnerabilities do you look for in a web application?
Bulletproof believe in working to the very best standards, so all our web application tests include the Open Web Application Security Project (OWASP) Top 10 vulnerabilities as a minimum. We use a blend of advanced automated tools and manual expertise to uncover security weaknesses. This includes things like code injection, broken authentication, misconfigurations, XSS, and much more.
Is there a report delivered at the end of the test?
At the end of the test you’ll receive a comprehensive report that’s easy to understand. It contains an executive summary followed by a full technical breakdown, complete with remediation advice and guidance. We also provide a full debrief call to run through the findings of the report.
How long does a test normally take?
For small web apps, 2-3 days is normally enough to delve into your application and find any security vulnerabilities, as well as produce an informative after-action report. Medium web application penetration tests usually take 5-10 days, and larger tests typically start at 10 days onwards.
Will my web application be disrupted during the test?
Testing can be performed against a non-production replica of your live environment, such as a UAT/QA environment, to ensure no risk to your live services. If testing against production is unavoidable, we can coordinate our testing activities to minimise the impact. You can also specify things like no denial of service (DoS), meaning tests will have negligible impact on your day-to-day operations.
Do you offer free retests?
Retesting is important to make sure that your remediations have mitigated the discovered vulnerabilities. Bulletproof offer free retests of all uncovered vulnerabilities as standard, accompanied by an updated report.
Do you recommend other tests to complement web app testing?
Mobile application tests often go hand-in-hand with web app tests, so you can bolster your security across all platforms and devices. Infrastructure and network testing is also important if your app is self-hosted – allowing you to lock-down the systems and servers behind the app.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.