OSCP & eWPTxv2 certified

Web Application
Penetration Test, manual, thorough, actionable.

A manual web application pentest based on OWASP Top 10, business logic and API abuse. Not an automated scanner you could have run yourself — a real tester who breaks into your application the way an attacker would. Want to see the broader picture first? Check the penetration testing page for scope categories, pricing model and the full process.

Schedule free intake → What gets tested?
Fixed price based on scope Retest included NDA as standard Response within 1 business day
What gets tested

OWASP Top 10, and everything a scanner misses.

Automated scanners find known vulnerabilities with known signatures. What they miss: business logic flaws, authorisation bypasses, multi-step exploitation and vulnerabilities that arise from combining multiple weaknesses. Resync tests manually on the categories below, in-depth and in the context of your application.

Authentication & session management

  • Password and MFA implementation, brute-force protection and account lockout
  • Session token entropy, lifecycle, fixation and hijacking scenarios
  • OAuth/OIDC flows and token storage (cookies, localStorage, refresh)
  • Password reset flows and account recovery abuse

Authorisation & access control

  • Insecure Direct Object References (IDOR), horizontal and vertical escalation
  • Role-based access control (RBAC) bypasses at API and UI level
  • Tenant isolation in multi-tenant SaaS environments
  • Admin endpoints accidentally publicly reachable

Injection & input validation

  • SQL injection (classic, blind, second-order, NoSQL)
  • Cross-Site Scripting (reflected, stored, DOM-based)
  • Command injection and server-side template injection
  • XML External Entity (XXE) and deserialization vulnerabilities

API & backend

  • REST API endpoints for authentication, authorisation and rate limiting
  • GraphQL introspection, query depth and field-level authorisation
  • Mass assignment and parameter pollution
  • Server-Side Request Forgery (SSRF) against internal services

Business logic

  • Race conditions in payment, voucher or registration flows
  • Price manipulation, discount abuse and negative-quantity exploits
  • Workflow bypasses (skipping steps, manipulating status)
  • Logic flaws unique to your application domain
The difference

Manual test vs. automated scan.

An automated scanner is a good starting point, but it is not a pentest. Here is what scanners do and what they miss:

What a scanner finds

Known CVEs, missing headers, outdated libraries, default credentials, simple XSS payloads. Useful, but known to everyone including your IT provider.

What Resync finds

Logic authorisation flaws, IDORs on identifiers the scanner cannot see, race conditions, multi-step exploits, and vulnerabilities only understandable through application context.

Real-world example

At a SaaS startup, Resync found an API endpoint that accepted a UUID as a query parameter. The scanner saw a properly secured endpoint. Manual testing revealed that simply changing the tenant ID made all customer data from other organisations retrievable. Impossible to detect without understanding the application model.

The report

Usable by your board and by your development team.

A pentest report that ends up in a drawer is money wasted. The Resync report is structured in two layers, suitable for both a CISO/board presentation and for a developer who wants to patch the same day.

Executive summary (1–2 pages)

  • Risk overview in plain language, no jargon
  • CVSS score and business impact per finding
  • Strategic recommendations and compliance context (NIS2, GDPR, ISO 27001)

Technical findings

  • Exact reproduction steps; a developer can follow every finding themselves
  • Screenshots and HTTP request/response logs of the exploit
  • Concrete code or configuration recommendation, not a generic OWASP link
  • Prioritisation based on exploitability and impact

Retest & final declaration

  • After patching: retest of all findings, included in the price
  • Demonstrable final declaration towards regulators, clients or board
  • Official proof of remediation, usable for SOC 2, ISO 27001 or NIS2 processes
Who it's for

When a web app pentest is the right answer.

A manual web application pentest is valuable before a production release, during an audit process (SOC 2, ISO 27001), after a major refactor, or as a recurring check for a SaaS product. Resync regularly works with:

  • SaaS startups pursuing SOC 2 or ISO 27001 and needing an independent pentest
  • Healthcare organisations where patient portals and applications fall under compliance requirements
  • Municipalities with citizen portals and internal applications
  • Law firms & notaries with client portals and sensitive case data
  • Vibe-coded apps generated with Cursor, Bolt or Lovable — predictable vulnerability patterns

Ready for your web app pentest?

One conversation is enough to make scope, schedule and price concrete. Free intake, fixed-price quote, retest included.

Schedule free intake → Back to home
Response within 1 business day Fixed price NDA as standard
Related

Specialised service pages

HEALTHCARE · SECURITY

Penetration Test for Healthcare

EHR portals, patient applications and medical devices, with healthcare compliance context.
MUNICIPALITY · NIS2

Penetration Test for Municipalities

Citizen portals, internal municipal applications and NIS2-compliant reporting.
VIBE-CODED · NEW

Vibe-coded app security audit

Apps built with Cursor, Bolt or Lovable — predictable vulnerability patterns.
Request free intake →