TR·EN

Work With Us →

// WEB PENETRATION TESTING

We audit your web applications in line with OWASP standards.

Web penetration testing without source code access, aligned with lists published by various authorities, using OWASP standards and TS 13638 methodology.

Start a Test →
OWASP Top 10

// WHY KRITERA

Expertise dedicated to web security

From APIs to SPAs, from e-commerce platforms to banking apps — in-depth for every web technology.

01

OWASP Top 10 + ASVS L2

Not only Top 10 — in-depth audit under Application Security Verification Standard Level 2. Authentication, session, access control in detail.

02

API + Mobile Backend

Deep testing of REST, GraphQL, gRPC APIs; focused tests on the backend side of mobile applications. SSRF, IDOR, BOLA-style modern attacks.

03

Business Logic Flaws

Findings automated tools cannot reach — e.g., double-spending in money transfer, coupon abuse, price manipulation.

// METHODOLOGY

Web pentest workflow

WEEK 1

Scope & Access

Applications to test, test user accounts (at different privilege levels), API keys, session information.

WEEK 1-2

Discovery & Mapping

URL discovery (Burp, ZAP), parameter mapping, tech fingerprinting, JavaScript analysis, API endpoint extraction.

WEEK 2-3

OWASP Top 10 Testing

Injection (SQL, NoSQL, command), Broken Authentication, Sensitive Data Exposure, XXE, Broken Access Control, Security Misconfiguration, XSS, Insecure Deserialization, Vulnerable Components, Insufficient Logging.

WEEK 3-4

Business Logic Testing

Abuse of application flow — price manipulation, race conditions, multiple account withdrawal, in-depth IDOR.

WEEK 4

Reporting

Executive summary, findings sorted by OWASP risk score, video PoCs, remediation with code samples.

WEEK 8

Retest

Retest for all critical findings after remediation, closure confirmation report.

// PITFALLS

Most frequently encountered web vulnerabilities

Five most common vulnerability classes Kritera detected in 2024-2026 web tests in Turkey:

XSS more serious than you think

Stored XSS = session hijacking, account takeover, access to customer data. Solution: CSP + input validation + output encoding.

APIs less protected than the browser

Even if requests through the browser are controlled, the API can be called directly. Solution: API-specific rate limit, auth, validation.

Insecure direct object references

Accessing someone else’s data by changing id=123 to id=124 in the URL. Solution: Authorization check on every data read.

Outdated JS libraries

jQuery 1.x or old React = exposed to known CVEs. Solution: SCA tooling with continuous audit, automated updates.

Business logic abuse

50% discount via race condition between add/remove from cart. Solution: Atomic operations, server-side state validation.

// CONTACT

Plan a pentest for your web application

Scope, test environment, account access, reporting format — in a free introductory call.

iletisim@kritera.com