Web Application Security Testing
Web Application Security Testing (AKA Web App Penetration Testing) involves automated and manual evaluation and testing of one or more applications to ensure they provide protection against abuse of your data. We use a combination of automated industry-standard scanning tools to look for well-known vulnerabilities as well as conduct extensive manual testing to find vulnerabilities and attack vectors not otherwise detectable by automated tools.
Schedule a ConsultationMore than a Vulnerability Assessment
This is more than a simple vulnerability assessment. We actively attempt to circumvent security controls by carrying out exploits that take advantage of discovered vulnerabilities, revealing what an adversary would be able to do. During testing, we look for any method that can violate the CIA Triad security model (confidentiality, integrity, availability).
- Confidentiality is limiting information to only the authorized person(s) who should have access to it.
- Integrity is ensuring data/communication at rest or in transit can only originate from, be sent to, or be modified by an authorized person(s).
- Availability is the ability for an authorized person(s) to access the resources when needed.
The purpose of testing is to enumerate your exposure (within the given time constraints), identify and verify as many vulnerabilities as possible, ensure your security configurations are strong, and then provide actionable solutions to help you protect your organization from attack/compromise. Types of common vulnerabilities found during this testing include those that allow an attacker to carry out remote code execution, DoS, SQLi, XSS, Directory traversal, privilege escalation, etc.
See additional examples
Static and dynamic vulnerability analysis, information gathering through OSInt and public research, configuration management, temp files, logs, network & infrastructure configuration, HTTP methods, HTTP headers (ex. HSTS, CORS, XSS, X-frame, etc.), identity management, user registration & account provisioning process, account enumeration & guessable user accounts, authentication & authorization, brute-force, authentication bypass, privilege escalation, 2FA/MFA, cache weakness, password policy, directory traversal, insecure direct object references, secure session management, session timeout & logout, session fixation, CSRF, session control, puzzling & hijacking, input & data validation, sanitization, & format string attacks, XSS, SQL, command, & other forms of injection, SSRF, file inclusion, buffer, heap, & stack overflow, error handling, cryptography, secure data at rest (ex. local store), in use (ex. IPC) and in transit (ex. SSL/TLS), secure network communications, certificate trusts, protocols, ciphers, protocols, etc., MiTM attacks, risky business functions and logic, file uploads, process timing attacks, reverse engineering, user accessible logs and alerts for authentication history, password resets, account changes, account lockout, etc., DoS, and more.
In most cases, we will leverage the discovered vulnerabilities to (1) verify it is exploitable and (2) determine your exposure, should it be breached. The testing is largely centered around the OWASP testing guide, but also includes our internal/proprietary methodologies. This is “noisy” and may generate alerts in the monitoring solutions you have deployed.
View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.
Sample Pricing
- Micro: Apps with less than 12 pages or major functions and 2 user roles (or less) – $9,000 - $12,000
- Small: Apps with less than 25 pages or major functions and 2 user roles (or less) – $11,500 - $16,500
- Medium: Apps with less than 50 pages or major functions and 3-4 user roles – $13,500 - $22,500
- Large: Apps with less than 100 pages or major functions and 4-5 user roles – $16,000 - $30,000
- xLarge: Apps with more than 100 pages or major functions and 6+ user roles – Varies
Add-On Services
In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need.
Post-Testing Briefings
Executive Level and/or Technical Level
Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies
Remediation Testing
Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies
Assist Technical Support Staff with Mitigations
$1,100 per 5-hr block of consultant time
Assist SOC Staff in Building Detections
$1,100 per 5-hr block of consultant time
On-Site Supplemental Testing and/or Visits
Mileage fee of
$3 per mile from 78006
plus, $300-450 per day for most visits
DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours needed to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).
DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.