The Full Range Of Web Risk
We test across the established categories, including common web vulnerability categories listed by OWASP but not confined to them. We probe injection in all its forms - including SQL, NoSQL, XXE, LDAP, ORM, prompt, command, and template injection, as well as file inclusion - as the point where untrusted input crosses a trust boundary. We test for cross-site scripting, cross-site request forgery, and server-side request forgery, the last increasingly potent against cloud-hosted applications that can be coerced into reaching internal metadata services.
Frequently, the most damaging flaws to web applications lie in access control and authentication. We test systematically for broken access control - insecure direct object references that let one user read another's records, missing authorisation on privileged functions, and both horizontal and vertical privilege escalation. And we scrutinise authentication and session management: management of cookies, passwords, tokens, sessions, and validation, and the multi-factor flows so often implemented just incompletely enough to bypass. We examine single sign-on and federated authentication (such as OAuth), and seek to identify areas where their redirect, state, or signature handling may be subtly wrong. This includes assessing JSON Web Token implementations for algorithm-confusion and weak-signing-key flaws. We also probe password reset and account recovery, where predictable tokens and host-header-poisoned reset links are among the most direct routes to full account takeover. We conduct our tests both unauthenticated and, with credentials you provide, authenticated - frequently across several privilege levels, as the worst flaws can concern privilege escalation by users who are already logged-in.
We can further look for web vulnerabilities rooted in the application's business logic itself. We test the application's logic against its intent, with a particular eye for race conditions (such as access before authentication or time-of-check to time-of-use issues). We also focus on testing complex multi-step workflows and finding the states the developers never anticipated - prices and quantities tampered with, mandatory steps skipped or replayed, and discount or referral logic abused in ways no scanner could recognise. Where the application exposes an API, whether REST or GraphQL, we test it as a first-class attack surface in its own right, down to object- and function-level authorisation and the over-fetching that GraphQL introspection so often enables.