Web Application Penetration Testing

Web Application Penetration Testing


Web applications are difficult to secure, making them a prime target for malicious hackers. They require regular, specialized testing to ensure their security. Web application penetration testing is specifically designed to uncover software vulnerabilities in modern web applications and provide recommendations to help improve their security.

Penetration testing tools are most commonly used to test the following types of applications:

  • Custom or “In-House” Web Applications
  • Custom Web Services/APIs (SOAP, REST, etc.)
  • Custom Integrations of Commercial Off-The-Shelf (COTS) Software
  • Application Layer Penetration Test Methodology Overview

With an application-layer web penetration test, Tanner’s Information Security team will help identify both common and application-specific vulnerabilities that exist in custom-developed software.

Our methodology is heavily focused on manual testing and verification techniques. Many application-layer vulnerabilities are the result of logical and systematic flaws in the code that are often overlooked during automated testing procedures. If exploited, these types of vulnerabilities can be the most damaging. This is why most web applications require manual testing.

Tanner’s testing protocol begins with a network/operating system review. This helps verify that underlying systems are configured securely. After performing initial systemwide tests, our penetration testing team zeroes in on the application layer (layer 7). Application layer testing accounts for the majority of the time allocated to application penetration engagements.

Our team first assumes the role of an anonymous attacker who does not have valid credentials to access the application. This is done to determine if the application is accessible to rogue users. Our team then authenticates to the application and determines if valid users can:


  • Exploit vulnerabilities
  • Gain access to the underlying infrastructure
  • Access unauthorized information
  • Escalate vertical privilege

For role-based applications and systems, testing is conducted across all permission levels and authorization policies. This ensures coverage across the entire application and includes in-depth testing of complicated authorization controls.


Penetration Test Deliverable


The deliverable for this engagement consists of a report that highlights the gaps identified in tests, along with Tanner’s prioritized recommendations for remediating the identified risks. The end result is an improvement in the overall security of the application. Our findings take into consideration the size of the company and the sensitivity of its data when determining the importance and urgency of each recommendation.