Web Application Penetration Test

Web Application Penetration Test helps identify web application weaknesses. Get your Webapp Pentest today.

The Hedgehog Security Web Application Penetration Test service is a CREST approved, regulated, full-scope, multi-layered attack simulation, orchestrated from the perspective of a malicious threat actor, designed to measure how prepared your infrastructure, applications, people, processes and technologies can defend and withstand an attack from a real-life adversary, while uncovering potential risks and security vulnerabilities.

A Webapp Pentest is important for organisations of all sizes and the traditional style of penetration testing has done the job for many years. Now, however, a well structured and scoped penetration test needs to me more than a simple point in time test.

Web application penetration test

Web technologies have advanced in recent years and so have the web applications that we all use daily. With this advancement and reliance on web technologies, we have also been exposed to Cyber Security risks associated with these applications such as advance Cross Site Scripting and SQL Injection attacks.

External facing webapps used by businesses are by nature available to all via the public Internet. Their complexity and availability have made them an ideal target for attackers and there have been many publicised data breaches that have been caused by insecure web applications.

Protecting these applications from new threats is a constant challenge, especially for developers who may not be security aware and who are working towards a performance deadline.

How a web application penetration test helps

We can help alleviate the risks associated with web application security issues by performing regular web app security reviews of your public facing or internal web applications to identify the issues and to give you an ability to remediate these before an attacker would exploit. Our professional and highly experienced web application pentest team will identify vulnerabilities that exist on your web applications. We have a wealth of knowledge in the area of web application penetration testing and our testers have created and contributed to many open source web application security projects.

Our web application penetration testing service is performed remotely for externally facing web applications. For internally facing applications within your premised, we can use either a client provided VPN, a testing application that we can ship to you or we can provide you with a secured virtual machine to allow us to test from.


Penetration Testing is charged by the half day at £425.00 for each half day used. Discounts are available for blocks of pre-booked time.

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Download our penetration testing brochure

Webapp Pentest Methodology

Our web application penetration test service utilizes a risk-based approach to manually identify critical application-centric security flaws in all in-scope applications. Our web application penetration test combines the results from industry-leading scanning tools with manual testing to enumerate and validate vulnerabilities, configuration errors, and business logic flaws. In-depth manual application testing enables us to find what scanners often miss.

Using this approach, we ensure a comprehensive webapp pentest that covers the classes of vulnerabilities outlined in the Open Web Application Security Project (OWASP) Top 10 and beyond:

  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access Control
  • Security Misconfiguration
  • Insecure Deserialization
  • Using Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring

Our web app penetration testing methodology is a consistent process based on industry-standard practices used for each and every internal and external web application penetration test we perform. Experience has shown our clients and us that our proven web application pentesting methodology works.

Information Gathering

The information-gathering phase consists of Google search engine reconnaissance, server fingerprinting, application enumeration, and more. Information gathering efforts result in a compiled list of metadata and raw output to obtain as much information about the application’s makeup as possible. Reconnaissance includes web application footprinting, metafile leakage review, service enumeration, and operating system and application fingerprinting. The purpose of this step is to map the in-scope application and prepare for threat identification collectively.

During the Information Gathering phase, our penetration test team will:

  • Use discovery tools to passively uncover information about the application
  • Identify entry points into the application, such as administration portals or backdoors
  • Perform application fingerprinting to identify the underlying development language and components
  • Send fuzzing requests to be used in the analysis of error codes that may disclose valuable information that could be used to launch a more targeted cyber attack
  • Actively scan for open services and develop a test plan for the latter phases in the security assessment

Through testing, Hedgehog Security’s penetration test team actively try to force your web apps to leak information, disclose error messages that can be exploited, or reveal versions and technologies used.

Threat Modeling

With the information collected from the previous step, the testing process transitions to identifying security issues in the application. This typically begins with automated scans initially but quickly morphs into multiple manual testing techniques using more pointed and direct tools. During the threat modeling step, assets are identified and categorized into threat categories. These may involve sensitive information, trade secrets, financial documents, etc.

During this phase, our pentest team will:

  • Use open source, commercial, and internally developed tools to identify and confirm well-known vulnerabilities.
  • Spider the in-scope application(s) to effectively build a map of each of the features, components, and areas of interest
  • Use discovered sections, features, and capabilities to establish threat categories to be used for more manual/rigorous testing (i.e., file uploads, admin backdoors, web services, editors)
  • Send fuzzing requests to be used to analyze error codes that may disclose valuable information that could be used to launch a more targeted attack.
  • Build the application’s threat model using the information gathered in this and the previous phase to be used as a plan of attack for later phases of the penetration test
  • Upload vulnerability information to the customer portal for those vulnerabilities that exist but will not be exploited due to time constraints or risk to devices.

Vulnerability Analysis

The vulnerability analysis step involves documenting and analyzing vulnerabilities discovered due to Information Gathering and Threat Modeling. This includes the analysis of output from the various security tools and manual testing techniques.

During the Vulnerability Analysis phase, our penetration testers will:

  • Compile the list of areas of interest and develop a plan for exploitation
  • Search and gather known exploits from various sources
  • Analyze the impact and likelihood for each potentially exploitable vulnerability
  • Select the best methods and tools for properly exploiting each of the suspected exploitable vulnerabilities


Unlike a vulnerability assessment (which is a low cost commodity service and only ever uses automated vulnerability scanning tools), a penetration test takes the additional step of exploitation. Exploitation involves establishing access to the application or connected components by bypassing security controls and exploiting vulnerabilities to determine their real-world risk. Throughout this step, we perform several manual tests simulating real-world exploits incapable of being performed through automated means. During a webapp pentest , the exploitation phase consists of heavy manual testing tactics and is often the most time-intensive phase.

As part of the Exploitation phase, the Hedgehog Security team will:

  • Attempt to manually exploit the vulnerabilities identified in the previous phases to determine the level of risk and level of exploitation possible
  • Capture and log evidence to provide proof of exploitation (images, screenshots, configs, etc.)
  • Notify the client of any Critical findings upon discovery
  • Upload validated exploits and their corresponding evidence/information to the project portal for client review


The reporting step is intended to compile, document, and risk rate findings and generate a clear and actionable report, complete with evidence, for the project stakeholders. The report will be delivered through the customer portal.  If a customer requests, a presentation of findings will occur via an online meeting.

During this phase, our pentest team will perform the following:

  • Ensure all findings have been uploaded to the project portal for client review
  • Create the web application penetration test report, along with evidence. This will go through an internal review process that then is uploaded to the client portal for review
  • Additional meetings may take place to ensure the client understands the findings and recommendations for mitigation or remediation

Webapp Pentest Tools

To perform a comprehensive real-world assessment, our pentest team at Hedgehog Security utilizes commercial tools, internally developed tools, and some of the same tools hackers use on each and every assessment. Once again, we intend to assess systems by simulating a real-world attack, and we leverage the many tools at our disposal to effectively carry out that task.

Automated vs. Manual Testing

Hedgehog Security’s approach consists of about 80% manual testing and about 20% automated testing. The actual values may vary slightly. While automated testing enables efficiency, it effectively provides areas of interest to further explore through manual testing.  At Hedgehog Security, we believe in the technical knowledge and natural inquisitiveness of our penetration testers.  This enables an effective and comprehensive penetration test can only be realised through rigorous manual testing techniques and experience.

Free Remediation Retesting

If there are items you choose to remediate after you received your Web Application Pen Test Report, Hedgehog Security is available to retest those remediations and will issue an updated report. Let us know once you have completed those remediations, and we will schedule your webapp pentest retest.

All Performed Remotely

Traditionally, webapp pentesting have been conducted with an element of onsite work where a our consultant would visit your office and physically connect to the network infrastructure to perform the assessment. With the issues faced around the Coronavirus situation, we have released our client portal, a technology-led alternative to having a consultant visit site.

We are offering a Remote Penetration Test where the whole engagement is performed without the need to visit the customer site. You can either download a Virtual Machine image that can be installed within the corporate network or be shipped a standalone network appliance.

Both solutions create a secure channel to the Hedgehog Security Operations Center where the assigned consultant can then command the image or appliance in the same way as they would if they had their laptop on site.

All data collected during the test is held securely at our ISO27001 certified Security Operations Center allowing the consultant to perform the assessment and upload the results to the client portal.

Explore the demo portal

Use the link in the top right to log into the portal. The credentials are:

Username: demo@democlient.llc
Password: Demo-Password-2021