Web Application Penetration Testing

With this type of service, URM conducts a security review to test the web application from an authenticated perspective.

A web application penetration test is a type of ethical hacking engagement designed to assess the architecture, design and configuration of web applications. This test will review each page within the website to understand if any vulnerabilities exist.

This may involve different levels of access to the application and can vary depending on the functionality of the application.

The penetration test, for example, will identify common web vulnerabilities (e.g. OWASP top 10) using a defined methodology, namely the Open Source Security Testing Methodology Manual (OSSTMM).

Where various access levels are available within the application (e.g. administrator vs standard users), URM performs testing to confirm that the access level does not have access to information outside of their level of privilege or tenant.

URM’s Approach to Web Application Penetration Testing

URM will look to understand the functionality of the application and determine what technologies are used in its delivery. It might be a modern JavaScript based single page application utilising a framework such as React or Angular, or a server-side based application using Python or PHP.

Irrespective of the languages used, URM will look to identify whether the application is susceptible to typical web application flaws.

All of URM’s penetration testing engagement utilise the following methodology:

  1. Pre-Engagement Analysis: URM recommends a kick-off meeting is scheduled where information is sought on the design, architecture and systems (if a grey box test is being conducted).

  2. Publicly Available Intelligence Gathering: This phase of the engagement focuses on identifying (where possible) targets for the testing using passive means or public sources (DNS for example).

  3. Vulnerability Analysis: Understanding and enumerating the networks services that are available to determine vulnerabilities within the current versions of software or any misconfiguration.

  4. Exploitation: Once services have been identified, performing a combination of manual and automated tests to further uncover security vulnerabilities.

  5. Post Exploitation: Analysing the gathered data and results of the various reviews. The analysis includes categorising the detected vulnerabilities and prioritising them against the business and technical context.

  6. Report Documentation: This phase of the engagement will include compiling the results of the penetration testing and providing comprehensive risk-based findings for all issues found. As with all deliverables within URM, the report will be reviewed to ensure quality and accuracy.

What People Say About Us:

“URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.”


“I was very impressed with how the process went on testing day and I can’t wait to take other clients through the process with URM.”


“Having never gone through the Cyber Essentials Plus process on behalf of a client I was very impressed with how the process went on testing day and I cant wait to take other clients through the process with URM.”


“This was a great exercise for the business to go through as some gaps were found and URM provided valuable information on remediation.”

Let us know how URM can help you

Consultancy Services

About URM

Follow us on