What Is a Web Application Penetration Test?
A Web Application Penetration Test (web Pentest) is a simulated attack against publicly or privately accessible websites and applications designed to identify security weaknesses using techniques employed by real-world threat actors.
In short, it involves ethically "hacking" your site or app before an actual attacker does. Based on the findings, we provide specific, actionable recommendations to mitigate or eliminate the vulnerabilities.
What Do We Test During a Web Application Penetration test?
We evaluate two core areas, starting with the OWASP Top 10 (2021):
- Broken Access Control: Improper enforcement of user permissions can allow attackers to access unauthorized data or functionality.
- Cryptographic Failures: Weak or missing encryption can expose data in transit or at rest to attackers.
- Injection: Exploits such as SQL, NoSQL, Command, or LDAP injection can allow attackers to manipulate backend systems.
- Insecure Design: Lack of secure design practices from the beginning of the development lifecycle leaves applications vulnerable by default.
- Security Misconfiguration: Default settings, open cloud storage, verbose error messages, and outdated components introduce risk.
- Vulnerable and Outdated Components: Use of outdated libraries, frameworks, or OS components exposes systems to known exploits.
- Identification and Authentication Failures: Weak session handling or authentication flaws can lead to account takeovers and impersonation.
- Software and Data Integrity Failures: Poor update validation and insecure deserialization can lead to remote code execution.
- Insufficient Logging and Monitoring: Without proper logging, breaches go undetected for months and attackers retain persistence.
- Server-Side Request Forgery (SSRF): Improperly validated URLs allow attackers to interact with internal systems.
The second set of tests goes beyond OWASP, targeting advanced vulnerabilities such as:
- Authentication Vulnerabilities
- Directory Traversal
- Business Logic Flaws
- Information Disclosure
- Access Control Issues
- File Upload Vulnerabilities
- XXE (XML External Entity)
- CSRF (Cross-Site Request Forgery)
- IDOR (Insecure Direct Object Reference)
- CORS Misconfigurations
- XSS (Cross-Site Scripting)
- Clickjacking
- DOM-Based Issues
- WebSocket Security
- Insecure Deserialization
- Server-Side Template Injection
- Web Cache Poisoning
- HTTP Host Header Injection
- HTTP Request Smuggling
- OAuth Flaws
- Subdomain Takeover
How much does a web pentest cost?
We offer packages for SMBs starting at $30,000 MXN. Pricing depends on the application's size, technology stack, and overall complexity.
What are the deliverables?
We deliver two comprehensive reports:
- Executive Report:
Tailored for non-technical leadership, this report summarizes key risks and recommendations in business language to support informed decision-making. - Technical Report:
Delivered to your IT/security team, it provides a detailed breakdown of each vulnerability found, proof-of-concept examples, and remediation guidance.
Our value goes beyond documentation. We work to understand your systems and goals, offer hands-on support, and provide continuous follow-up. Clients also gain access to our monthly cybersecurity newsletter, offering alerts, training resources, and partner discounts.
Where Do We Operate?
We are based in Mexico City, but we deliver remote testing services throughout Mexico, whenever secure remote access or a virtual environment is available.
Do You Serve Clients Outside of Mexico?
Yes. We have conducted pentests across Latin America, the U.S., Europe, and Asia.
