Web application penetration testing uses manual and automated approaches to identify security threats or vulnerabilities in your web application. The purpose of this type of pen-test is to determine vulnerabilities, possible threats, and help identify ways to mitigate them across the whole application and its component parts (database, source code, back-end services). 

Our team of OSCE and OSCP certified “ethical hackers” use exploits – like SQL injections and XML External Entity (XXE) injections – to probe ways to gain control of your web application; so that you can prevent others from doing so. In other words… we help you fight fire, with fire.

Delivery Methods

Our security testing services can be provided via two methods that can be mixed and matched to create an overall testing solution that fits your needs perfectly. For instance, you might require thorough web application penetration testing (delivered locally, on a project basis) or a cyber threat intelligence assessment (conducted remotely). 


Projects are fixed scope engagements of a predetermined time frame. Projects can be delivered locally at your office alongside your team or carried out remotely from our offices in Amsterdam or Kiev.


Contracting is a method of rolling engagement where a tester is contracted to join your organisation to deliver the required testing. Contract-based work can only be delivered locally, typically from within your team.

Testing Approaches

To help you ensure the security of your application, we offer three approaches to web application penetration testing:

black-box testing

Black-box penetration testing

In this perspective of web application penetration testing, the tester is placed in the shoes of a normal internet user with no knowledge of how the application works or access to its source code. This method is closest to what a real hacker would face when trying to penetrate your application.

  • Closest scenarios to what a real hacker would face.
  • Tester acts as normal internet user during pen-testing (with no knowledge of application or source code).

Grey-box penetration testing

A combination of black and clear box testing, with grey box testing testers can create exhaustive tests while remaining close to realistic attack conditions. Testers are given knowledge of the internal workings and functionalities of the applications but without access to the source code. Testers use their knowledge of the system to test the application more thoroughly than if they did not know the architecture of system. This is the most commonly requested form of web application penetration testing.

  • A combination of black and clear box pen-testing.
  • Exhaustive pen-tests while remaining close to realistic attack conditions.
  • Testers are given knowledge of the workings of applications.
  • The tester has no access to the source code.
  • Tests are more thorough than black-box pen-testing.

Clear-box penetration testing

This web application penetration testing approach requires the tester to have access to the source code of the application. This allows the tester to check the quality of the code within a larger scope normally provided by a developer. While not representative of real-life conditions, it does allow for the more effective securing of applications. This perspective on web application penetration testing makes this the most thorough form of penetration testing.

  • Testers have access to the source code.
  • Testers are able to check the quality of the code.
  • This method is not representative of real-life attack conditions.
  • More effective at securing application due to an in-depth look at source code.

Contact Us

For more information about how web application penetration testing can help you secure your applications and networks, contact us using the contact form below or call Baruch Annink at +31 (0) 646 955 406.