Phone Icon 0333 323 3981

Contact us

Web Application Penetration Testing

Web Application Penetration Testing

Web Application Penetration Testing will identify vulnerabilities within your website which could be accessed through online cyber attacks. An exploitation can result in the theft of information and irreparable damage to your systems.

Xyone uses the Open Web Application Security Project (OWASP) Testing guide V3.0 for conducting penetration testing of web-based applications. The active test is split into 9 sub-categories for a total of 66 controls.

  • Configuration Management Testing
  • Business Logic Testing
  • Authentication Testing
  • Authorisation Testing
  • Session Management Testing
  • Data Validation Testing
  • Denial of Service Testing
  • Web Service Testing
  • Ajax testing

The data obtained from the information gathering phase allows us to search for additional vulnerabilities or exploits that might not form part of the above controls but can be used to penetrate the system.

Our web application penetration testing methodology is adapted each year to ensure we are assessing vulnerabilities in line with the OWASP top ten threats. In 2013, these were identified as:

  • A1 Injection
  • A2 Broken Authentication and Session Management
  • A3 Cross-Site Scripting (XSS)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure
  • A7 Missing Function Level Access Control
  • A8 Cross-Site Request Forgery (CSRF)
  • A9 Using Components with Known Vulnerabilities
  • A10 Unvalidated Redirects and Forwards


It is vital that our clients undertake a retest as part of their penetration test service. This is to ensure that all vulnerabilities have had the necessary controls applied and are no longer at risk of exploitation.

Retests are always clearly quoted within our proposal documentation and each retest scans all of the areas originally identified as risks in our original penetration test report. 


PCI DSS Compliance

If a business is set up to take credit cards by any mechanism - then it needs to be compliant. It is a common misunderstanding that small concerns handling only one or a few credit cards a year are exempt from these standards.

More info

Vulnerability Assessment

A vulnerability assessment identifies any major issues within your systems. Less in depth than a manual penetration test and conducted using approved scanning software, a vulnerability assessment will test a cross section of your IT infrastructu...

More info

PCI DSS Consultancy

Our consultants can take a lead on your PCI compliance, bringing extra resource to streamline your processes and help you to prepare compliance reports to achive the Payment Card Industry Data Security Standard.

More info

Network Penetration Testing

Network Penetration Testing goes beyond vulnerability scanning and evaluates the security of a system, attempts to expose and exploit the vulnerabilities and weaknesses through a simulated attack.

More info

Mobile Penetration Testing

Mobile penetration testing covers off the threats encountered through using devices such as laptops, smartphones and tablets to access networks and databases whilst away from the office environment.

More info

Cloud Penetration Testing

The safety of your company’s assets depends on the security of your cloud-based infrastructure just as much as your in-house IT environment; therefore security should be a key consideration when selecting a cloud services provider.

More info

Database Penetration Testing

Databases hold valuable business assets such as sensitive customer data, payment card details, product and pricing data, employee records, blueprints, intellectual property and supplier information. Should this data end up on the wrong hands or be co...

More info

VOIP Penetration Testing

VOIP (Voice Over IP) is the methodology of conducting voice calls and messages through an internet based network. VOIP is a particular area of concern with regards to security due to the potential for confidential data harvesting through recordi...

More info