Web Application Penetration Test

Pentest of Web Applications & Websites

We perform penetration test of web applications, while the scope and complexity of a web application can range from a static website to a multi-tenant web application. The test method used by binsec GmbH for web applications and websites is based on the OWASP Testing Guide and the OWASP TOP 10. The Open Web Application Security Project (OWASP) is currently the world's largest non-profit organisation, the objective of which is to increase the security of applications. The OWASP Top 10 includes the ten most critical vulnerabilities in web applications. According to the current publication from 2021, most web application vulnerabilities are due to missing or incorrect authorization management. If Application Programming Interfaces (APIs) are part of the object of investigation, the OWASP API Security Top 10 are also taken into account during the penetration test, in order to perform a API pentest as well.

The methodical test approach of binsec GmbH is roughly divided into the following 16 test phases. Within the test phases, the web application or website is examined for the vulnerabilities of the OWASP TOP 10. Various analysis tools are used during the pentest, as well as intensive manual testing. The exact course of the penetration test depends heavily on the characteristics of the respective application and is based on the approach a real attacker would take:

  • Information gathering (passive, external resources)

  • Testing underlying IT systems as an attack vector

  • Information gathering (active, test objects)

  • Configuration management of web server & web application

  • Authentication testing of access controls

  • Identity management & registration process

  • Testing of user password handling

  • Secure data transmission

  • Session management

  • Authorization testing

  • Authorization testing (multi-tenancy)

  • Input validation (e.g. Injection, XSS)

  • File upload implementation

  • Low and Slow Denial of Service

  • Error handling

  • Successful exploitation

We usually pentest a web application both with and without credentials. In order to efficiently detect errors in the authorization management of the web application, we request test accounts for each user role and for different tenants if applicable.

Our service in a nutshell:
Conducting Penetration Testing (Pentest)

Since 2013 our certified penetration tester team conduct pentest for IT infrastructures, web applications, mobile APPs (iOS/Android) and other targets while every time using a structured approach based on all relevant publications. As a service provider evaluate the identified and exploited vulnerabilities based on the associated business risk and compiling it into a report that contains a summary for the IT management and the technical details of the vulnerabilities identified. After you fix the vulnerabilities, we usually perform a retest without any additional charge.

Contact us

Structured approach

Certifications: ( OSCP, OSCE, CRTO, BACPP )

Identifying technical and business security risks

Risk-weighted vulnerability assessment or CVSS scoring

Report splitted in management and technical part

Retesting included

Our service in a nutshell:
Conducting Penetration Testing (Pentest)

Since 2013 our certified penetration tester team conduct pentest for IT infrastructures, web applications, mobile APPs (iOS/Android) and other targets while every time using a structured approach based on all relevant publications. As a service provider evaluate the identified and exploited vulnerabilities based on the associated business risk and compiling it into a report that contains a summary for the IT management and the technical details of the vulnerabilities identified. After you fix the vulnerabilities, we usually perform a retest without any additional charge.

Contact us

Structured approach

Certifications: ( OSCP, OSCE, CRTO, BACPP )

Identifying technical and business security risks

Risk-weighted vulnerability assessment or CVSS scoring

Report splitted in management and technical part

Retesting included

Pentest-Methodology

Pentest use the same tools and techniques that real attackers would use to break into a system. It includes the use of security tools and carrying out manual tests to uncover vulnerabilities. Thus is it not a automatic vulnerability assessment. On the contrary, as a service provider for penetration testing we are using the same tools and techniques that real attackers would use to break into a system. But while a real attacker only needs to find and exploit one vulnerability, a penetration tester checks all relevant attack vectors.

Having a structured approach is one of the most important factors to achive this in order to provide a professional pentesting service. This is also important when performing a Web Application pentest. Our approach is based on all relevant standards and publications.

Offer for Web Application Pentest

Pentest are always a compromise between effort and cost, to get a reasonable price. Successful pentest offer a good balance between these criteria to facilitate the testing of all relevant attacks and attack vectors. The cost of such a test always depends on the time the penetration tester spends and on the extent and complexity of the IT system or web applications. While a penetration test for a small application takes only some days, it can take several weeks for a large network or complex application.

For a pentest offers we do require prior information about the systems and applications that are to be examined. It is important that we get an initial impression of the target. For web applications, for example, test access can be helpful. Any additional information, e.g. the framework etc., can make it easier for us to draft a suitable offer for you. If you need us to pentest an IT system, we will need the corresponding network addresses in advance. In this particular case, we will first perform a non-invasive network scan to get a first look at your network. We will provide a detailed offer once we can estimate the effort required.

binsec GmbH is a german pentest company for professional penetration testing. Get in touch with us for your Web Application pentest offer - get your pentest today!

Contact us
Pentest Offer

binsec GmbH for professional Penetration Testing Web Application pentest

binsec GmbH is the german professional penetration testing company for your Web Application pentest. Get a pentest offer without typical sales nonsense. Talk to experts instead to pre sales consultants. Better pentesting. No nonsense. As a professional penetration test provider we do some things differently than other pentest provider: As a penetration test firm, we do not sell vulnerability scans as pentest. We do also focus on business security risks. You are looking for a professionally conducted penetration tests? Get the binsec team for your Web Application pentest pentest!

Contact us

Frequently Asked Questions

Of course. Please contact us for a pentest example report.

It is difficult to give an generalized answer to this question, since the toolset used basically depends on the respective test object. Of course, we use tools such as nmap to check IT infrastructures or the Burp Suite Professional in the case of web applications.

However, we believe that publishing a tool list is mere window dressing, as each target system should be tested individually. However, you are welcome to ask us about the tools we used after the pentest.

If you fix the vulnerabilities within a reasonable amount of time, we would be glad to retest at no additional cost.
Hosting a critical business application on a cloud provider such as Amazon AWS, Microsoft Azure or Hetzner Cloud is becoming more and more common. Of course, we conduct penetration test for applications that are operated in the cloud. This also applies to cloud infrastructure penetration test as long as the virtual machines are not managed by the cloud provider itself.
There are three approaches based on the information a penetration tester gets before starting: Black-Box-Pentest, Grey-Box-Pentest and White-Box-Pentest. We always recommend going for grey box pentesting. It has the best cost-benefit ratio if you like to get your complete attack surface tested.
Of course, we also offer Offensive Security and Red Teaming. Basically they are a subcategory of pentesting with a very strong focus on unstructured Ethical Hacking.
We can pentest any business, IT system, application or network, right down to protocol fuzzing. We only leave the analysis of hardware chips under the microscope to others. We test for example:

Pentest Knowledge and Tools

binsec.tools logo

Free pentest tools for your security analysis.

Pentest Tools
binsec.wiki logo

Take a look at our wiki page about pentesting.

Pentest WIKI
binsec FAQ logo

Straight answers to common pentesting questions.

Pentest FAQ
binsec news logo

News about pentesting and the binsec universe.

Pentest News

Company

binsec GmbH
Solmsstraße 41
60486 Frankfurt am Main
Germany

Legal notice

Director: Patrick Sauer
Authorised Officer: Florian Zavatzki, Dominik Sauer
Registration: Frankfurt am Main, HRB97277
Turnover Tax Identification No.: DE290966808

© 2025 All rights reserved by binsec GmbH.

© 2025 All rights reserved by binsec GmbH.