WEB APPLICATION TESTS
Manual testingwhere scannersstop.
Web application tests cover attacks that automated tools miss by design: business logic, cascading authorisation flaws, token-based auth, GraphQL introspection and the typical SSR and dependency pitfalls of modern JavaScript stacks.
01 · SCOPE
OWASP Top 10, API Top 10 and what matters beyond.
We test classic single-page applications, server-side rendered portals, REST and GraphQL APIs and microservice gateways. The basis is the OWASP Web Security Testing Guide and OWASP API Top 10, extended by our own test baseline for SSR frameworks such as Next.js, Nuxt and Remix.
02 · TYPICAL FINDINGS
What we find in real applications.
Access-control breaks with IDOR and missing server-side authorisation on REST and GraphQL resolvers. JWT misconfigurations with none algorithm, weak keys or missing signature verification. SSRF against internal cloud metadata services. Reflected and DOM-based XSS despite framework escaping. Prototype pollution and dependency confusion in npm workspaces. Server-side template injection and unsafe deserialisation. Cache poisoning via forgotten headers.
03 · AUTH & SESSION
Authentication, session and multi-tenant.
We review login flows, MFA bypass, password reset, OAuth and OIDC redirect handling, session fixation, cookie attributes, CSRF protection and the horizontal and vertical isolation between tenants. Multi-tenant applications with a shared database in particular are a constant source of missing tenant filters.
READY
A web test that actually helps developers.
We deliver reproducible proof-of-concepts, concrete code recommendations and work closely with your development team. No generic boilerplate.