Web applications and APIs are today's primary gateway for cyberattacks. Whether it's a customer portal, e-commerce platform, or internal business application – every interface accessible via the internet represents a potential risk. A web & API penetration test uncovers vulnerabilities before attackers can exploit them.
Modern organizations increasingly rely on web-based applications and API-driven architectures. Microservices, single-page applications, and mobile backends communicate via various interfaces such as REST, GraphQL, SOAP, or WebSockets – often handling sensitive customer data, payment information, or business-critical processes. The OWASP Top 10 show year after year that vulnerabilities like injection, broken authentication, and security misconfiguration remain widespread.
Automated scanners detect only a fraction of the actual risks. Business logic vulnerabilities, flawed access controls between different user roles, or insecure API designs are only uncovered through manual, targeted testing. This is exactly where our web & API penetration test comes in: we combine automated tools with manual expertise to obtain a comprehensive picture of your attack surface.
Our approach is aligned with the OWASP Testing Guide and the OWASP API Security Top 10. We don't just test for technical vulnerabilities – we also analyze your application's business logic, because the most dangerous vulnerabilities are often those that no scanner can find.
Defining the test scope, identifying critical functions, and threat modeling.
Testing login mechanisms, session management, password policies, and role-based access controls.
Testing for SQL injection, XSS, SSRF, and analyzing business logic for bypass opportunities.
Analyzing REST and GraphQL endpoints for broken authorization, rate limiting, and data exposure.
OWASP-aligned report with proof-of-concepts, risk ratings, and concrete remediation guidance.
Login bypass, brute-force protection, token handling, multi-factor authentication, session fixation, and cookie security.
SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), XML external entities (XXE), and command injection.
Broken object level authorization (BOLA), mass assignment, excessive data exposure, missing rate limits, and insecure GraphQL introspection.
Unrestricted file upload, path traversal, malware upload possibilities, and server-side processing of uploaded files.
Horizontal and vertical privilege escalation, insecure direct object references (IDOR), missing function-level access control, and multi-tenancy isolation.
Workflow bypasses, price manipulation, race conditions, coupon/discount abuse, and circumvention of business rules.
Anonymized engagement example
A Swiss software company. 1 web app. Other customers' data accessible in seconds.
IDOR and JWT vulnerabilities fixed within two weeks. Retest confirms: access to other customers' data no longer possible. New client successfully onboarded.
A Swiss software company has its core application tested before onboarding a major new client. The application processes sensitive customer data and was partly built by an external development team.
Upon completion of the test, you receive a comprehensive report aligned with the OWASP Testing Guide that includes the following elements: