Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Web Application Security

Web Application
Penetration Testing.
No Vulnerability Undetected.

OWASP Top 10:2021, API Security, Business Logic - OSWA-certified experts find what automated scanners miss. Fixed-price quote in 24h.

Schedule Free Consultation View OWASP Top 10
OWASP Top 10:2021 ISO 27001 Free Retest Included OSWA-Certified

Trusted by our clients

Web App Pentests Completed
500+
of applications with vulnerabilities (OWASP 2021)
94%
to Fixed-Price Quote
24h
manually verified findings
100%

OWASP Top 10:2021

We test all critical vulnerability classes

The OWASP Top 10 standard defines the most common and critical security risks in web applications. Our test covers all ten categories fully - every finding manually verified, no noise in the report.

A01 Critical

Broken Access Control

We test authorization checks at all levels: horizontal and vertical privilege escalation, IDOR, misconfigured CORS, and missing access control on API endpoints.

A02 Critical

Cryptographic Failures

We analyze TLS configuration, encryption of sensitive data (at rest and in transit), weak algorithms, flawed key generation, and insecure password storage.

A03 Critical

Injection

SQL, NoSQL, OS, LDAP, and XPath injection. All input parameters tested for missing validation and parameterization - in forms, API parameters, and HTTP headers.

A04 High

Insecure Design

We analyze architectural decisions for missing security controls: insecure password reset flows, missing rate limiting, and weak tenant separation.

A05 High

Security Misconfiguration

HTTP security headers, cloud storage permissions, debug mode in production, unnecessary features, and default credentials. We systematically review the entire server configuration.

A06 Medium

Vulnerable Components

We inventory all libraries, frameworks, and components used and cross-reference against known CVEs - including transitive dependencies in frontend and backend.

A07 High

Auth Failures

Session management, brute force protection, secure token generation, MFA bypass, credential stuffing, flawed logout implementation, and JWT security are fully tested.

A08 High

Software & Data Integrity

Deserialization vulnerabilities, insecure CI/CD pipelines, missing code signing, and supply chain risks in dependencies. We also test update mechanisms for tampering.

A09 Medium

Logging Failures

We verify that security-relevant events (failed logins, access attempts on sensitive data) are logged and that logs are protected against tampering. SIEM integration is evaluated.

A10 High

SSRF

Server-Side Request Forgery: We test whether attackers can force the server to make requests to internal services, metadata endpoints (AWS IMDS), or other internal systems.

All ten categories are tested manually - no automated scanning. Request a sample report

Methodology

Black-Box, Grey-Box, or White-Box?

Each pentest approach simulates a different attacker perspective. We advise you on which approach delivers the most value for your specific use case.

Black-Box Test

No prior knowledge, no access - our testers start like an external attacker from the internet. We conduct full reconnaissance and attempt to gain access independently.

Best suited for:

  • Realistic attacker simulation
  • External attack surface assessment
  • Compliance evidence (PCI DSS)
Recommended

Grey-Box Test

We receive test credentials and basic application architecture information. This enables more efficient, deeper analysis - with the best balance of coverage and cost.

Best suited for:

  • Maximum coverage within budget
  • Testing authenticated features
  • NIS-2 and GDPR Article 32

White-Box Test

Full access to source code, architecture documentation, and configurations. Enables the deepest analysis including code review, logic flaws, and configuration-based vulnerabilities.

Best suited for:

  • Deepest vulnerability coverage
  • Critical custom-developed systems
  • Combined secure code review

API Pentest

Targeted Testing of REST and GraphQL APIs

Modern web applications are API-first. Many security vulnerabilities don't originate in the user interface but in the backend APIs that power it. We test following the OWASP API Security Top 10.

Authentication & Authorization

JWT token manipulation, OAuth flows, flawed scope validation, API key leakage in responses, BOLA (Broken Object Level Authorization), and BFLA (Broken Function Level Authorization).

Rate Limiting & Input Validation

Missing rate limiting (brute force on login endpoints), mass assignment, injection at query level, flawed input validation in JSON payloads, and parameter pollution.

Business Logic & GraphQL

Testing multi-step processes (order flows, payment processes), race conditions, GraphQL introspection, batching attacks, query depth, and field suggestion vulnerabilities.

OWASP API Security Top 10 - Our Test Catalog

  1. API1 Broken Object Level Authorization Critical
  2. API2 Broken Authentication Critical
  3. API3 Broken Object Property Level Authorization High
  4. API4 Unrestricted Resource Consumption High
  5. API5 Broken Function Level Authorization High
  6. API6 Unrestricted Access to Sensitive Business Flows Medium
  7. API7 Server-Side Request Forgery High
  8. API8 Security Misconfiguration High
  9. API9 Improper Inventory Management Medium
  10. API10 Unsafe Consumption of APIs Medium
Request API Pentest

What we typically find in web apps

Anonymized examples from real web application pentests

Critical CVSS 9.8 · A03 Injection

SQL Injection in search function enables complete database exfiltration

Due to missing parameterization in the search query, an attacker can read the entire database without authentication - including password hashes, personal data, and internal configuration. Reproduced with a single HTTP request.

High CVSS 8.1 · A03 Injection

Stored Cross-Site Scripting (XSS) in comment field - session hijacking possible

Missing output encoding allows persistent injection of JavaScript code. All users viewing the content are affected. Attackers can steal session cookies, inject phishing content, or execute further attacks on other users.

High CVSS 7.5 · A01 Access Control

Insecure Direct Object Reference (IDOR) - access to other users' data

The API does not verify whether the requested resource belongs to the authenticated user. By simply incrementing ID parameters in API requests, a logged-in user can access the data of any other user.

Medium CVSS 5.4 · A07 Auth Failures

Missing brute force protection on login endpoint - account takeover via credential stuffing

The login endpoint is not protected by rate limiting, account lockout, or CAPTCHA. Attackers can apply known password lists against all user accounts with automated tools. Combined with public data breaches, this significantly increases the risk.

On average, we find 2-4 critical vulnerabilities per web app pentest. Request a sample report

What does a web app pentest cost?

No hidden costs. No hourly rates. Fixed-price quote in 24 hours.

Single-Page App

from EUR 5,000

5-7 business days

  • OWASP Top 10
  • Up to 3 user roles
  • Free retest included
Popular

Complex Web App

from EUR 8,000

8-12 business days

  • OWASP Top 10 + API Sec.
  • Multiple roles + workflows
  • Business logic testing
  • Free retest included

Enterprise + API

from EUR 12,000

10-15 business days

  • Multiple microservices
  • REST + GraphQL APIs
  • SARIF output for CI/CD
  • Free retest included

Custom

On Request

White-box, code review, retainer

Discuss Scope

Includes management summary, CVSS ratings, and free retest. All prices ex. VAT.

Web App Pentest Retainer - plannable, regular, cost-effective

Quarterly tests at reduced rates - ideal for organizations that want to test after every major release, or for NIS-2 and PCI DSS compliance.

Inquire About Retainer

Compliance

Your web app pentest meets regulatory requirements

Our report is designed as compliance evidence covering the requirements of the most important regulations.

NIS-2 Directive

The NIS-2 Directive requires technical security measures including penetration testing for essential and important entities. Our report is designed as regulatory compliance evidence.

GDPR Article 32

GDPR Article 32 requires appropriate technical and organizational measures. Regular web app pentests are recognized as state-of-the-art and strengthen your legal position in data protection audits.

PCI DSS Req. 11.4

PCI DSS v4.0 Requirement 11.4 mandates regular penetration tests for merchants and service providers handling card data. Our report meets PCI DSS reporting requirements.

DORA Art. 26/27

The DORA regulation has required threat-led penetration testing (TLPT) for financial entities since January 17, 2025. Our approach follows TIBER-EU guidelines.

Why AWARE7 for Your Web App Pentest

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Organizations that trust us

Pentesting & Schwachstellenscans

Sill Optics GmbH

Feststellung der Angriffsfläche bei Sill Optics GmbH

Pentesting & Schwachstellenscans

XignSys GmbH

Whitebox-Penetrationstests eines Authentifizierungsdienstes als Mobile- und Web-Anwendung

Pentesting & Schwachstellenscans

TWINSOFT GmbH & Co. KG

Externer Penetrationstest einer iOS-Applikation

Three Steps to Your Web App Pentest

No lengthy procurement process. You talk to us - and we get started.

1

Initial Consultation

30 minutes, free of charge. We clarify scope, methodology, roles, and timeline for your web application.

2

Fixed-Price Quote in 24h

Binding, transparent, no hidden costs. You decide at your own pace - no pressure.

3

Pentest Begins

Our OSWA-certified team gets started. You receive ongoing updates and the report with a debrief session.

Schedule Free Consultation

Frequently Asked Questions about Web App Pentesting

We test all ten OWASP Top 10:2021 categories: Broken Access Control, Cryptographic Failures, Injection (SQL, NoSQL, LDAP, OS), Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Authentication and Session Failures, Software and Data Integrity Failures, Logging and Monitoring Failures, and Server-Side Request Forgery. Additionally, we test business logic flaws that no automated scanner can detect: Race Conditions, IDOR, multi-step process errors, and application-specific privilege escalation issues.
A vulnerability scanner lists known, technical weaknesses based on CVE databases - typically with 30-70% false positives. Our pentest goes significantly further: every vulnerability is manually verified with a reproducible proof-of-concept. We chain multiple individual vulnerabilities into real attack paths, test business logic flaws, and find weaknesses no automated tool can detect - such as IDOR in broken authorization checks or session token leakage in JavaScript bundles.
Duration depends on scope and complexity. A single-page application with limited backend typically takes 5-7 business days. A complex web application with multiple roles, complex workflows, and extensive APIs needs 8-12 business days. Enterprise applications with multiple microservices and APIs require 10-15 business days. We clarify the exact timeline in a free initial consultation and you receive a binding fixed-price quote within 24 hours.
Yes, API security is a core part of our web app pentest. We test REST and GraphQL APIs for: broken authentication and authorization, missing rate limiting and throttling, insecure direct object references (BOLA/IDOR), excessive data exposure, mass assignment vulnerabilities, GraphQL introspection risks, injection attacks at the query level, and flawed error handling with information disclosure. We follow the OWASP API Security Top 10.
Yes. We support both one-time pentests and regular security testing cycles as part of a retainer. For DevSecOps integration, we provide structured findings in SARIF format, which can be integrated directly into GitHub Advanced Security, GitLab SAST, and Azure DevOps. We recommend at minimum annual pentests plus additional tests after major releases or architecture changes.
Yes. Our pentest price always includes a free retest. After you have remediated the vulnerabilities we identified, we specifically verify the effectiveness of the implemented fixes. The retest result is documented in the final report, so you can demonstrate to auditors and regulators that all findings have been addressed.
In a black-box test, our tester starts with no prior information - exactly like an external attacker. In a grey-box test, we receive credentials and basic information about the application architecture, enabling more efficient coverage. In a white-box test, we have full access to source code, architecture documentation, and system configurations. For most web applications, we recommend the grey-box test as it provides the best balance of coverage depth and cost.
Our report has two parts: the Management Summary (1-2 pages, non-technical, for executives and oversight bodies) and the technical section with all findings. Each finding includes: CVSS 3.1 score with vector string, vulnerability description, reproducible proof-of-concept with screenshots, affected endpoints and parameters, concrete remediation recommendation, and a business risk assessment. On request, we provide an anonymized sample report.
Preparation is minimal. We need: test credentials for all relevant user roles, the test URL or access to a staging environment (production is possible but coordinated), and optionally a brief description of core features. We recommend creating a complete snapshot or backup of the test environment. Our project management sends you a structured checklist in advance so nothing is forgotten.
For NIS-2-affected organizations, penetration analyses are explicitly required. Under GDPR Article 32, a pentest documents your technical and organizational security measures. For PCI DSS, regular web app pentests are prescribed under Requirement 11.4. For DORA (financial entities), threat-led penetration testing is required under Articles 26 and 27. Our report is structured to serve directly as evidence for regulators, auditors, and certification bodies.

Aus dem Blog

Weiterführende Artikel

Have your web application professionally tested for vulnerabilities

94% of web applications have security vulnerabilities (OWASP Top 10, 2021). Find them before attackers do - with OSWA-certified experts and a fixed-price commitment.

Schedule Free Consultation

Kostenlos · 30 Minuten · Unverbindlich

ISO 27001:2022
ISO 9001:2015
OSCP · OSWA · OSWP
100% Germany-based