What is a web application penetration test?

A controlled attack by an ethical hacker simulating real-world attacker techniques to uncover vulnerabilities before they are exploited in production, using the OWASP WSTG methodology.

How much does a web application penetration test cost?

Pricing starts at 4,000 EUR, typically ranging up to 8,000–10,000 EUR for complex applications. Depends on number of endpoints, authentication complexity and testing approach (black/grey/white box).

How does a web application penetration test work?

Four phases: Kick-off and scope definition, manual testing per OWASP WSTG, structured report with CVSS scoring and proof of concept, and optional remediation support and retest.

Is a penetration test mandatory for NIS2, DORA or ISO 27001?

A penetration test is the standard evidence of cyber risk management for NIS2, DORA, ISO 27001 and PCI DSS. For regulated entities in critical infrastructure and finance it is effectively mandatory.

What will I receive as output from a penetration test?

A detailed security report with vulnerability descriptions, proof of concept evidence, CVSS 4.0 ratings, developer-focused remediation steps, and an executive summary for management.

What is the difference between black box, grey box and white box penetration testing?

Black box simulates an external attacker with no prior knowledge. Grey box provides credentials and basic documentation for the most common scenario. White box provides full source code access for maximum depth.

Web Application Penetration Testing | API Security

Web Application & API Penetration Testing

INTEGRA's certified ethical hackers conduct in-depth penetration tests of web applications and APIs following the OWASP WSTG methodology. Based in Prague, serving clients across the Czech Republic, Slovakia and the EU — we uncover vulnerabilities in application logic, authorization and authentication and deliver clear remediation priorities with developer support.

How we test web applications and APIs

We don't rely on scanners alone. Every web app pentest at INTEGRA is led by a certified penetration tester who understands application logic — uncovering vulnerabilities in authentication, authorisation and business logic exactly as a real attacker would. Web application security testing requires human expertise, not just tools.

Manual testing by a certified specialist

Automated tools only scratch the surface. Deep vulnerabilities in business logic, authorisation and session management require a manual tester who understands how the application works and where the weak points are.

Proxy & HTTP traffic interception

All application traffic flows through Burp Suite Pro. We analyse every request, manipulate parameters, test authorisation at the individual call level and hunt for hidden endpoints and shadow APIs.

OWASP WSTG methodology

We test systematically against the OWASP Web Security Testing Guide — covering all 12 categories from information gathering to business logic testing. Every finding is mapped to OWASP Top 10 and assigned a CVSS 4.0 score.

Detailed report with proof of concept

Every finding is documented with a step-by-step reproduction guide, CVSS 4.0 severity rating, concrete remediation advice for developers and an executive summary for management. Optional retest after fixes is available.

10+ specialised penetration testers

The INTEGRA team consists exclusively of senior specialists holding OSCP, OSWP and CEH certifications. Web application projects always involve at least two testers — cross-reviewing findings eliminates individual blind spots.

Choosing the right testing approach

The depth of access we have before testing begins significantly affects the number and type of vulnerabilities we can uncover. We tailor the approach to your situation, timeline and risk tolerance.

No prior access

Black Box

We receive only the target — a URL or IP address. No credentials, no documentation, no source code. The test simulates a real external attacker who knows nothing about the application beyond its existence.

Best suited for

Limited budget — the fastest and most affordable testing option
Validating what an external attacker can reach and exploit
Public-facing applications and APIs
Situations where minimal client-side preparation is required

Most common approach

Grey Box

The tester is given user credentials, documentation, access to the application and support from the client — but no source code. Testing covers all attack vectors both without and after authentication. This is the optimal and most frequently used approach for web applications.

Best suited for

All attack vectors tested — unauthenticated and authenticated
Complex authorisation logic, multiple user roles
Best balance of depth, time and cost
NIS2, ISO 27001, PCI DSS and most compliance requirements

Maximum depth

White Box

In addition to full grey box access, the tester can request source code review for any area of interest. Used selectively — the tester decides when to look under the hood. This approach uncovers vulnerabilities that are invisible from the outside and is reserved for the most demanding security reviews.

Best suited for

Applications processing sensitive financial or health data
Pre-launch security review of a new product
DORA TLPT and critical infrastructure requirements
Highest possible vulnerability coverage per man-day

Key areas of penetration testing

We cover web applications, REST/GraphQL APIs and desktop clients communicating with back-end services. Every test is tailored to the specific stack, authentication scenarios and business logic of your application.

Web Applications

Reconnaissance — frameworks, versions, hidden endpoints and admin interfaces
Authentication — brute-force, 2FA bypass, JWT weaknesses, session fixation
Authorisation — IDOR, BOLA, privilege escalation, missing access controls
Input validation — SQL injection, XSS, SSRF, Command Injection, LFI/RFI
Session management — session hijacking, insecure cookies, CSRF
Business logic — price manipulation, limit bypasses, workflow abuse
Configuration — HTTP headers, verbose errors, exposed debug endpoints
Cryptography — weak protocols, hardcoded secrets, insecure data at rest

REST & GraphQL API

Authentication & tokens — weak JWT, missing expiry, API key leakage
Authorisation — Broken Object Level Authorization (BOLA/IDOR), BFLA
Rate limiting — missing throttling, object enumeration, DoS vectors
Input validation — injection via parameters, Mass Assignment, fuzzing
GraphQL specifics — introspection abuse, query depth attacks, batching
Exposed endpoints — shadow APIs, undocumented and deprecated versions
Error handling — stack traces, internal structure disclosure
Transport security — TLS configuration, certificate validation, MITM vectors

Desktop Applications

Static analysis — binary decompilation, extraction of hardcoded secrets
Network communication — API call analysis, certificate pinning bypass, MITM
Local storage — insecure storage of sensitive data, plaintext credentials
Protection mechanisms — licence control bypass, anti-tamper circumvention
Code injection — runtime patching and hooking vectors
Reverse engineering — API key extraction, protocol reconstruction

Most common vulnerabilities in web applications

This ranking is based on 1,619 findings from 218 penetration tests conducted in 2025. The data shows where Czech and Slovak applications have the greatest weaknesses.

#01

Broken Access Control

Missing or incorrect access controls — IDOR, BOLA, missing authorisation and privilege escalation. The most common critical vulnerability in SaaS and B2B applications.

OWASP A01:2025

15.0 %

#02

Security Misconfiguration

Default credentials, exposed debug endpoints, missing security HTTP headers and verbose error messages in production environments.

OWASP A05:2025

12.2 %

#03

Software Supply Chain Failures

Compromised open-source libraries, outdated dependencies with known CVEs and typosquatting attacks. The fastest-growing category year-on-year.

OWASP A06:2025

10.9 %

#04

Cryptographic Failures

Weak encryption, sensitive data over HTTP, hardcoded API keys in source code or git history, and use of MD5/SHA-1 for password storage.

OWASP A02:2025

9.5 %

#05

Injection (SQLi, XSS, SSTI)

SQL injection, Stored/Reflected XSS, command injection and SSTI — still prevalent in legacy systems and applications without modern frameworks and ORM layers.

OWASP A03:2025

8.1 %

Real findings from penetration tests

Anonymised examples of critical and high-severity findings from production application testing in banking, SaaS and e-commerce. All are real INTEGRA projects from 2024–2025.

CRITICAL · CVSS 9+

HIGH · CVSS 7–9

MEDIUM · CVSS 4–7

HIGH · CVSS 6.5 IDOR – unauthorised access to data of 10,000+ organisations

ClientSaaS platform (B2B)

Test typeGrey Box

StackNode.js · GraphQL · MongoDB

Attack Chain

GraphQL schema enumeration via introspection query
IDOR identified in /api/users/{id}/data with no authorisation check
Access to sensitive data of 10,000+ tenants without authentication
No rate limiting → real-time brute-force enumeration of IDs feasible

Remediation

Server-side authorisation checks on every API request
Rate limiting and IP throttling at the API gateway layer
Disable GraphQL introspection in production environments

Node.jsGraphQL OWASP A01 – Broken Access Control CWE-639

HIGH · CVSS 8.1 Race Condition – multiplication of financial transactions

ClientFinancial institution

Test typeGrey Box

StackNode.js · PostgreSQL · REST API

Attack Chain

POST /api/v1/payments/internal intercepted via Burp Suite proxy
10 identical requests sent in parallel within the race window
Race condition → 4 of 10 requests processed successfully in parallel
Result: 4× transaction amount multiplied — demonstrated at $40,000

Remediation

Idempotent transactions with distributed mutex locks (Redis)
Database-level unique constraints on transaction ID
Real-time monitoring of anomalous transaction patterns

PostgreSQLREST API OWASP A04 – Insecure Design CWE-362

CRITICAL · CVSS 9.8 RCE via exposed JDWP debug port in production

ClientEnterprise corporation

Test typeBlack Box

StackJava 17 · Spring Boot · JDWP

Attack Chain

Network scan revealed open port 9009 (Java Debug Wire Protocol)
Active JVM remote debugging identified in production
JDWP protocol exploited → Runtime.exec() called via debugger
Remote execution of arbitrary OS commands with no authentication required

Remediation

Immediate JDWP shutdown on all production servers
Firewall rules audit and tightening — allowlist-based access
Automated open port scanning integrated into CI/CD pipeline

JavaSpring BootJDWP OWASP A05 – Security Misconfiguration CWE-489

HIGH · CVSS 8.6 Biometric authentication bypass in a banking iOS app

ClientBanking institution

Test typeGrey Box

StackiOS · Swift · REST API

Attack Chain

iOS IPA binary reverse-engineered using Frida
Client-side biometric check (TouchID/FaceID) identified without server-side validation
Authentication bypassed by runtime binary patching via Frida hook
Full access to banking features without valid credentials

Remediation

Authentication logic moved server-side — token-based auth with short TTL
Certificate pinning implemented for all API communication
Jailbreak and runtime manipulation detection (Frida/Substrate detection)

iOSSwiftFrida OWASP MASTG – MSTG-AUTH-8 CWE-287

MEDIUM · CVSS 6.1 Stored XSS → session hijacking and admin account takeover

ClientE-commerce platform

Test typeBlack Box

StackReact · Django · PostgreSQL

Attack Chain

JavaScript payload injected into the "Product Name" field (Stored XSS)
Payload rendered in admin dashboard without output sanitisation
Administrator session cookie automatically stolen on dashboard load
Admin account taken over — full access to e-commerce management

Remediation

Output encoding on all user-controllable outputs
HttpOnly and Secure flags set on session cookies
Content Security Policy (CSP) headers deployed with strict-dynamic

ReactDjango OWASP A03 – Injection (XSS) CWE-79

Find out how secure your application really is

Book a free consultation with our security team. We will assess your situation and propose the optimal web application penetration testing service scope tailored specifically to your application and stack.

Free consultation

Quote within 24 hours

NDA from first contact

Free Consultation

Web Application & API Penetration Testing

How we test web applications and APIs

Choosing the right testing approach

Key areas of penetration testing

Most common vulnerabilities in web applications

Broken Access Control

Security Misconfiguration

Software Supply Chain Failures

Cryptographic Failures

Injection (SQLi, XSS, SSTI)

Real findings from penetration tests

Everything you need to know about web application penetration testing

Find out how secure your application really is

Žadost o vzorovou zprávu výsledků z testu