Web App Pentesting — CredShields

01 // THE GAP

Scanners find injection. Engineers find logic flaws.

Your SAST already catches XSS and SQL injection. The bugs that get protocols breached are different: tenant boundary violations, race conditions in business logic, auth bypasses via state confusion. Those need engineers, not regex.

Multi-tenant isolation: cross-tenant data leakage
Business logic: race conditions, double-spend, state confusion
Auth flows: OAuth scope confusion, SAML XML signature wrapping
Authorization: BOLA, IDOR, privilege escalation chains

Findings — what scanners miss

CRITICAL  IDOR via tenant_id parameter
  GET /api/v2/orders?tenant_id=42
  → returns other tenants' orders
  // scanner: clean

HIGH      Race condition in payment retry
  POST /pay/retry — no idempotency key
  → 12 charges from 1 click
  // scanner: clean

HIGH      SSRF via webhook URL
  POST /webhooks {"url":"http://169.254.169.254"}
  → AWS IMDS credentials exposed
  // scanner: clean

MEDIUM    JWT alg confusion (RS256 → HS256)
  → public key used as HMAC secret
  // scanner: clean

02 // METHODOLOGY

OWASP ASVS, but actually executed.

Most vendors claim ASVS alignment and run a scanner. We execute every applicable verification requirement manually, document the test, and provide pass/fail evidence. Your auditor gets a real ASVS coverage map, not a checkbox.

ASVS L2/L3 verification requirement coverage
PTES methodology for execution
MITRE ATT&CK mapping in findings
CVSS 3.1 scoring with environmental adjustments

ASVS coverage map (excerpt)

V1  Architecture            28/28 ✓
V2  Authentication          52/52 ✓
V3  Session Management      22/22 ✓
V4  Access Control          21/22 — 1 fail
V5  Validation/Encoding      37/37 ✓
V6  Stored Cryptography     14/14 ✓
V7  Error Handling           9/9 ✓
V8  Data Protection         10/12 — 2 fail
V9  Communications          11/11 ✓
V10 Malicious Code           9/9 ✓
V11 Business Logic          11/13 — 2 fail
V12 Files / Resources       11/11 ✓
V13 API / Web Service       21/21 ✓
V14 Configuration            11/11 ✓

→ 5 fails. 3 critical, 2 high. PoCs included.

What we test

End-to-end web application surface.

Authentication

OAuth 2.0 / OIDC, SAML, MFA flows, password reset, account recovery, session fixation.

Authorization

RBAC / ABAC, BOLA, IDOR, privilege escalation chains, multi-tenant isolation.

Injection

SQLi, NoSQLi, command injection, template injection, LDAP injection, XPath.

Business logic

Race conditions, state machine flaws, double-spend, replay attacks, workflow bypass.

Client-side

XSS (stored, reflected, DOM), CSRF, clickjacking, prototype pollution, supply chain.

Data exposure

Sensitive data in URLs, logs, error messages, debug endpoints, backup files.

Engagement Model

Fixed-fee. Scope-based. No surprise hours.

Web app pentests are fixed-fee engagements scoped after a 30-minute discovery call. One free retest within 90 days is included on every engagement. Typical mid-size SaaS web app: 2-3 weeks, scoped from $18K. Complex multi-tenant or finance-grade apps: 3-4 weeks, $28K+. We provide an exact written quote before contracting — no engineer-hour billing surprises.

Deliverables

What you receive at engagement end.

Full pentest report

Executive summary, methodology, findings with severity (CVSS 3.1) and reproduction, ASVS coverage matrix, remediation guidance. Audit-ready PDF + machine-readable JSON.

Reproducible PoC for every finding

Step-by-step reproduction. Burp project file. cURL commands. Where useful, a Python script. Your engineers can verify and re-verify independently.

ASVS coverage matrix

Full OWASP ASVS L2/L3 verification map showing pass / fail / not applicable for every requirement. Auditors accept this directly as evidence.

One free retest within 90 days

After you fix the findings, ping us. We re-verify within 72 hours and update the evidence trail. No new SOW, no new invoice.

Sample Finding

What a finding looks like.

Critical · CVSS 9.1

Multi-tenant isolation bypass via tenant_id parameter

Endpoint: GET /api/v2/orders?tenant_id={id}
Issue: The orders endpoint accepts a tenant_id parameter that is not validated against the authenticated user's tenant association. By substituting another tenant's ID, any authenticated user can enumerate orders belonging to other tenants.
Reproduction: 1. Authenticate as [email protected]. 2. Request /api/v2/orders?tenant_id=42 (tenant B). 3. Response contains tenant B's order records.
Impact: Cross-tenant data exposure. Estimated 14M order records enumerable across 1,200+ tenants.
Remediation: Remove the tenant_id parameter entirely. Derive tenant from the authenticated session's claim. Add backend authorization check on every multi-tenant resource.

Frequently Asked Questions

Common questions, answered.

How long does a web app pentest take?

Typical engagement is 2-3 weeks for a mid-size SaaS application. Larger apps with complex multi-tenancy or extensive auth flows may run 3-4 weeks. Engagements over 6 weeks are rare and usually indicate a scoping error — we provide an exact estimate after a discovery call.

Black box, grey box, or white box?

Grey box by default — we get test accounts at multiple permission levels but no source code. Source-code-assisted (white box) is available and recommended for first-time engagements; we usually find more in the same time. Pure black box is available but rarely the best use of budget.

Do you test in production?

Staging by default, with isolated test accounts. Production testing only happens with explicit scope, off-hours windows, and rollback plans. We don't run unverified payloads against your production database.

What's in the report?

Executive summary, ASVS coverage matrix, full findings (severity, CVSS, reproduction steps, fix guidance, references), and a remediation roadmap. Auditor-ready PDF and machine-readable JSON both delivered within 5 business days of engagement completion.

How much does a web app pentest cost?

Mid-size SaaS engagements typically run $22k-$48k. Larger enterprise apps with complex multi-tenancy and many user roles run $48k-$120k. Pricing is fixed-fee scoped before signing — no engineer-hour metering, no surprise change orders.

Will the pentest impact my production users?

Engagements are conducted on staging environments by default. If production testing is in scope, we run during agreed-upon windows with rollback plans, throttled traffic, and active coordination with your on-call team. We don't disrupt real users.

Do you provide retests after we fix findings?

Yes — one free retest within 90 days of report delivery is included with every engagement. Subsequent retests are billed at a reduced engineer-day rate. Continuous AppSec clients get unlimited retests.

What if you find a critical issue mid-engagement?

Critical-severity findings (RCE, auth bypass, mass data exposure) are disclosed same-day via Slack or phone — not stored for the final report. We coordinate with your team on disclosure timing and remediation.

Can the report be public?

Public release is at your discretion. Many of our clients publish sanitized versions as a trust signal — see Recently Audited for examples. We sign your specific NDA and follow your disclosure policy.

Do you sign customer-specific NDAs and DPAs?

Yes. We sign customer NDAs, DPAs, and security questionnaires as part of standard onboarding. Most legal-review cycles complete in 5-10 business days.

How do you compare to Cobalt, HackerOne, Synack, or NetSPI?

We're closest to NetSPI in approach — senior-engineer manual pentesting with a continuous engagement option. Cobalt and HackerOne lean toward crowdsourced models with variable-quality testers. Synack sits in between. Direct comparison conversations available on request — happy to walk through specifics.

How is web app pentesting different from a vulnerability scan?

A vulnerability scan is automated and finds known patterns — outdated libraries, missing security headers, basic injection attempts. A pentest is a manual exercise where engineers chain weaknesses into actual exploits, find business logic flaws scanners can't detect (race conditions, multi-tenant isolation breaks, auth state confusion), and validate every finding with a working PoC. Most modern breaches involve flaws scanners can't see.

Can your pentest satisfy our SOC 2 / ISO 27001 / PCI requirement?

Yes. SOC 2 CC7.1 (Detection of Vulnerabilities), ISO 27001 Annex A.12.6.1 (Management of Technical Vulnerabilities), and PCI DSS 11.3 all require periodic penetration testing. Our reports are pre-mapped to these controls and accepted by all major audit firms. See our Compliance Readiness page for the full coverage matrix.

Do you test multi-tenant isolation specifically?

Yes — and it's one of the most common high-impact findings we surface. We obtain test accounts at multiple tenants and tier levels, then systematically probe every cross-tenant boundary: object references, foreign keys, search filters, file paths, signed URLs, websocket subscriptions. For SaaS apps, this is usually the most critical part of the engagement.

What's the difference between OWASP ASVS L2 and L3?

L2 is the standard for most production applications handling sensitive business data — what most SaaS companies need. L3 is for applications with stricter requirements: financial services, healthcare PHI, government systems. L3 adds requirements around cryptography, hardened deployment, and stronger session management. We default to L2 unless your industry or contract requires L3.

What if you find nothing critical?

It happens — usually with mature security programs. A clean pentest with documented methodology and ASVS coverage is excellent audit evidence. We'll surface medium and low findings, identify hardening opportunities, and recommend coverage improvements for next engagement. You don't pay for findings; you pay for thorough testing.

Ready to ship secure?

Talk to a senior engineer. No SDR script, no slide deck — just a working session about your stack.

What is web application penetration testing

Manual security testing of your web app, by senior engineers.

Web application penetration testing is the controlled, manual security assessment of a web-facing application — its frontend, backend, APIs, authentication flows, authorization model, and business logic — to identify vulnerabilities before attackers do. Unlike automated vulnerability scanning, a real pentest is conducted by experienced security engineers who exercise creative attack patterns that scanners can't model.

The engagement combines automated tools (DAST scanners, fuzzers, proxy interceptors like Burp Suite) with deep manual analysis. Senior engineers walk authenticated and unauthenticated paths, test access control at the object and function levels, exercise auth flows like OAuth 2.0 and SAML against XML signature wrapping and token confusion, and probe business logic for race conditions, replay attacks, and state-machine flaws.

Most modern web app vulnerabilities — IDOR, BOLA, SSRF, JWT alg confusion, multi-tenant isolation bugs, OAuth scope confusion — are findings that automated tools either miss completely or generate as low-confidence noise. A web pentest is the workstream where those findings actually surface.

Aligned to OWASP ASVS L2 / L3 verification standard
Uses Burp Suite Pro, OWASP ZAP, Caido, semgrep, and proprietary tooling
Black-box, grey-box, and white-box engagement options
Reproducible PoC delivered for every finding — no theoretical vulnerabilities

Pricing & timeline

Fixed-fee engagements, scoped before signing.

Web app pentests are billed as fixed-fee engagements scoped after a discovery call — no engineer-hour metering. Pricing scales with application surface (endpoints, user roles, third-party integrations) rather than time spent. Most engagements complete within 2-4 weeks.

Typical engagement length

2-4 weeks

Engagement size (mid-size SaaS)

$22k - $48k

Engagement size (large enterprise)

$48k - $120k

Re-tests included

One free retest within 90 days

Report delivery

PDF + JSON within 5 business days of completion

Critical-finding alerts

Same-day disclosure during engagement

Deliverables

What you get from a CredShields web pentest.

PAGE 1

Executive summary

1-page risk overview written for non-technical stakeholders. Suitable for board reporting and customer security questionnaires.

ASVS

ASVS coverage matrix

Pass/fail evidence per OWASP ASVS verification requirement. Auditors love this — it converts directly to control evidence.

PER-FINDING

Detailed findings

Each finding includes severity (CVSS 3.1 with environmental), affected component, reproduction steps, PoC payload, and remediation guidance with code examples.

EXECUTABLE

Reproducible PoCs

Working exploit code or curl commands for every issue. Your engineers can verify and validate without being security experts.

MULTI-FRAMEWORK

Compliance mapping

Findings mapped to SOC 2 CC6.1/6.6/7.1/7.2, ISO 27001 A.12.6.1/A.14.2.8, PCI DSS Req 6/11.3, HIPAA 164.308/164.312.

INCLUDED

Remediation review call

60-minute walkthrough with the senior pentester. Bring your engineering team, ask questions, plan remediation in real time.

Buyer's guide

Manual web pentest vs. automated alternatives.

	DAST scanner	Bug bounty	Manual web pentest
Finds business logic flaws	No	Sometimes	Yes — primary value
Finds multi-tenant isolation bugs	Almost never	Possibly	Yes — methodical coverage
Finds auth bypass / SAML / OAuth flaws	No	Hit-or-miss	Yes — explicit test plan
False positive rate	High (often 30-50%)	Low (validated by hunter)	Zero — engineer-validated
Compliance acceptance	Insufficient alone for SOC 2/ISO	Mostly insufficient	Standard evidence
Cost	Low ($5k-$20k/yr)	Variable, hard to predict	Mid ($22k-$120k/engagement)

Web Application Penetration Testing

Find what your scanner can't.

Scanners find injection. Engineers find logic flaws.

OWASP ASVS, but actually executed.

End-to-end web application surface.

Fixed-fee. Scope-based. No surprise hours.

What you receive at engagement end.

What a finding looks like.

Common questions, answered.

Manual security testing of your web app, by senior engineers.

Fixed-fee engagements, scoped before signing.

What you get from a CredShields web pentest.

Manual web pentest vs. automated alternatives.

The pentest your auditor will accept.
The findings your engineers will fix.

Web Application Penetration Testing

Find what your scanner can't.

Scanners find injection. Engineers find logic flaws.

OWASP ASVS, but actually executed.

End-to-end web application surface.

Fixed-fee. Scope-based. No surprise hours.

What you receive at engagement end.

What a finding looks like.

Common questions, answered.

Continue exploring

Manual security testing of your web app, by senior engineers.

Fixed-fee engagements, scoped before signing.

What you get from a CredShields web pentest.

Manual web pentest vs. automated alternatives.

Related services

The pentest your auditor will accept.The findings your engineers will fix.

The pentest your auditor will accept.
The findings your engineers will fix.