Service Summary

Web Application Penetration Testing
Security is a Process, Not a Product

We specialize in e-commerce and web application penetration testing based on the PCI DSS requirements or addressing specific risk concerns of our clients. Our tests include script injection, broken authentication, cross site scripting, insecure object references and other similar vulnerabilities. We base our testing methodology on the OWASP testing guidelines as the global leading source for web application security management, recognized by the EC Council.

Clients Cases

Process Description

The initial preparation includes the setting of the test scope, testing hours and testing techniques to use. The scope is simply the number of critical systems that the management has decided to test and prepare for any malicious attack scenario. The testing times are usually during off-peak hours from 8PM - 6AM so that there is no noticeable processing disruptions. In many cases the penetration tests are run on a test environment before the systems "go-live" for public use. The techniques used during the testing are also an important factor as many clients and standards require different tests to be run.

After agreeing on these terms the penetration test can begin. The web application security test can be broken into eleven categories:

  • Information Gathering
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing

  • Input Validation Testing
  • Error Handling
  • Cryptography
  • Business Logic Testing
  • Client Side Testing

Each phase is tested using the corresponding tools as described in the OWASP Testing Guide reference to verify that all 91 control objectives are implemented to protect the privacy, integrity, confidentiality, availability and security of the web platform and its data. The deliverable consists of a detailed report stating all the application layer vulnerabilities with their corresponding impact and recommendations for their resolution.


NetSafety is a global information security consulting firm with a head office base in Sofia, Bulgaria and partner offices in Johannesburg, South Africa. Many successful projects across Europe, UK, Africa and Australia provide a proven professional track record and guarantee the high quality of our services.

Simply call us to schedule a meeting and discuss your business needs.

NetSafety (EU)


(+359) 88 9387598
(+359) 87 9387500

Office location:
Sofia, Bulgaria


NetSafety (South Africa)


(+27) 72 2870170
(+27) 11 0783672

Office location:
Johannesburg, South Africa