Ethredix Ethredix
CS

Web Application Penetration Testing

Comprehensive security testing according to OWASP Web Security Testing Guide (WSTG). We identify vulnerabilities before attackers find them.

OWASP WSTG

We test according to the OWASP Web Security Testing Guide checklist with over 200 test cases, covering all critical web security areas.

CVSS v3.1

Each vulnerability is rated using Common Vulnerability Scoring System for objective severity assessment.

OWASP Top 10

Most common web application vulnerabilities

A01:2021 – Broken Access Control

Insufficient access control allows users to access data or functions beyond their authorization.

IDOR, privilege escalation, missing function level access control

A02:2021 – Cryptographic Failures

Insufficient encryption of sensitive data in transit or at rest.

Unencrypted communication, weak hashing algorithms, hardcoded secrets

A03:2021 – Injection

Unvalidated inputs allow attackers to inject malicious code into queries or commands.

SQL injection, command injection, LDAP injection, template injection

A04:2021 – Insecure Design

Architectural flaws in application design that cannot be fixed with simple patching.

Missing rate limiting, insufficient business logic validation

A05:2021 – Security Misconfiguration

Incorrect configuration of security settings and default values.

Missing security headers, directory listing, verbose error messages

+ 5 more categories including Vulnerable Components, Authentication Failures, Data Integrity Failures, Security Logging and SSRF

Testing Output

Management Summary

Executive summary with risk profile, severity statistics and business impact.

Technické nálezy

  • → Exact vulnerability location
  • → CVSS v3.1 score
  • → Proof of Concept
  • → Impact assessment

Remediation Guide

  • → Recommended code changes
  • → Anti-patterns
  • → Best practices references
  • → Risk-based prioritization

Retest

Verification of successful remediation of all critical and high severity findings.

Process

01

Preparation and Scoping

Scope definition according to OWASP WSTG, obtaining access and architecture documentation.

02

Information Gathering

Application mapping, technology identification and attack surface analysis.

03

Active Testing

Systematic testing according to OWASP WSTG: authentication, authorization, session management, input validation, business logic.

04

Exploitation and PoC

Verification of exploitability, creating Proof-of-Concept and calculating CVSS metrics.

05

Reporting

Report compilation with management summary, technical findings and remediation recommendations.

Book Penetration Test