This assessment seeks to identify and exploit any security weaknesses in a website or web application. It can be performed from a variety of perspectives, ranging from anonymous and unauthenticated attackers over the Internet, through to highly privileged internal users, and covers everything from off-the-shelf software through to highly bespoke web applications and APIs.
The team will typically work through the following phases, and depending on their progress, may repeat stages several times to ensure the best possible coverage can be obtained in the time allowed:
- Reconnaissance - Understanding the application, its hosting environment, and any potential points of compromise.
- Scanning - Automated detection of potential vulnerable pages, parameters, and depending on the scope, exposed services on the hosting server.
- Vulnerability Assessment - Identification and exploitation of any vulnerabilities, including those listed in the OWASP Top Ten 2025.
- Business Logic Testing - Identification and exploitation of flaws in business logic, for example payment processing systems.
- Username Harvesting - Attempt to gain usernames for existing accounts, particularly those with administrative access.
- Password Guessing - Attempt to gain unauthorised access through guessing of passwords for identified accounts.
- Source Code Analysis - If provided or obtained during testing, the source code will be assessed for any remotely exploitable vulnerabilities that were not otherwise identified.
- Microservice Logic Testing - Identification and exploitation of flaws in microservice or function unit logic which could be used to cause harm to the client, or to obtain sensitive data.
- Cleanup - Wherever possible, leaving minimal evidence of the engagement.
- Offline Analysis - Obtaining and analysing any data obtained to understand the potential impact of compromise to the client.
- Reporting - Ensuring that the client gets a full understanding of the findings of the engagement, and recommended solutions to address any issues identified.
Testing can either be carried out against the production applications, or against dedicated test or staging versions of the environment, depending on the specifics of the application.