Web Application Security Testing
Security testing to find what scanners miss — auth bypasses, business logic flaws, injection.
I test web applications manually, the way a real attacker would approach them. The focus is on the bugs that actually matter: authentication and session handling, access control between user roles, injection vulnerabilities, and business logic flaws specific to your application. Automated scanning supplements the manual work, not the other way around. You get a report written for developers — with reproduction steps, severity ratings, and fix suggestions.
What Gets Tested
Testing covers the OWASP Top 10 as a baseline, plus application-specific risks:
- Authentication, session management, and password reset flows
- Authorisation checks — horizontal and vertical privilege escalation
- Input handling — SQL injection, XSS, SSRF, path traversal
- Business logic — payment flows, state manipulation, race conditions
- API endpoints exposed by the web application
How It Works
- Scoping call — Define the target, agree on testing windows, set up access.
- Testing — Typically 1-3 weeks depending on scope. Regular status updates.
- Report delivery — Findings with severity, reproduction steps, and remediation guidance. Executive summary included.
- Re-test — After fixes, I verify the patches are effective.