OWASP Top 10 coverage
- A01 Broken Access Control — can a regular user reach admin endpoints by guessing the URL? Can user A see user B's data via parameter tampering?
- A02 Cryptographic Failures — passwords stored in clear / weakly hashed, sensitive data over HTTP, expired certs.
- A03 Injection — SQL, NoSQL, command, LDAP, template injection in every input field. Where parameterization isn't used, we find it.
- A04 Insecure Design — race conditions, missing rate limits, business-logic flaws (e.g., negative quantities to refund-crash a cart).
- A05 Security Misconfiguration — default credentials, verbose error pages, debug endpoints exposed, S3 buckets public.
- A06 Vulnerable Components — outdated libraries with known CVEs in your stack (jQuery 1.x, Spring4Shell, Log4Shell, etc.).
- A07 Authentication Failures — password reset weaknesses, MFA bypass, session fixation, predictable session IDs, no logout server-side.
- A08 Software & Data Integrity — CDN-loaded scripts without SRI, supply-chain attack vectors.
- A09 Logging Failures — missing audit log on admin actions, no alert when an account is locked.
- A10 SSRF — can a URL field be coerced to fetch internal endpoints (cloud metadata service, internal admin tools)?
How we test
- Discovery — sitemap, robots.txt, JS bundle analysis to find hidden endpoints, parameter brute-force on found endpoints.
- Manual exploration — clicking through every flow with Burp Suite intercepting. Map authenticated and unauthenticated surfaces.
- Per-finding verification — every finding is reproduced twice with timestamped evidence. False-positive rate <3%.
- Authentication testing — with credentials you provide for one normal user and one admin. We test horizontal + vertical privilege escalation.
- Business-logic walks — the human stuff: can I refund the same order twice? Can I claim a coupon I shouldn't be eligible for? Can I see the next user's invoice by changing the URL ID?
What's in scope vs. not
In scope: the specific URLs, hostnames, and authenticated user accounts named in the Rules of Engagement document. Read-only verification by default; controlled exploitation only when ROE explicitly authorizes it for a specific finding.
Not in scope: DDoS, brute-force credential spraying, mass scanning of customer data (we don't extract, even if we can), social engineering of your staff (separate engagement type).
Pricing
Single web app: from $1,800. One customer-facing site (5-50 pages of authenticated surface). 1-2 weeks. Report + debrief.
Multi-app suite: from $4,500. 2-4 sites that share auth or backend. 2-3 weeks.
API-only test (no browser UI): from $2,200. Useful for partners shipping a customer-data API.