[FS-WAPT] Web Application Penetration Testing



A penetration testing is a method of evaluating the security of a computer system or network by simulating an attack. A Web Application Penetration Testing (WAPT) focuses on evaluating deep the security of a Web Application. The process involves an active analysis of the application for any weaknesses, technical flaws and vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Our method is based on the black-box approach that simulate an outsider attacker. The tester knows nothing or very little information about the application to be tested. The test is divided into 2 main phases:

Passive mode: in the passive mode, the tester tries to understand the application's logic, and plays with the application, often using tools for information gathering. At the end of this phase, the tester should understand all the access points (gates) of the application (e.g., HTTP headers, parameters, and cookies).

Active mode: in this phase, the tester begins the actual attack session using the OWASP methodology with manual & automated tests.

Active tests are splitted in 9 sub-categories for a total of more than 66 security controls:


  • Information Gathering
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing
  • Input Validation Testing
  • Testing for Error Handling
  • Testing for Weak Cryptography
  • Business Logic Testing
  • Client Side Testing



The strength of a valuable and effective Web Application Penetration Testing (WAPT) resides in Ethical Hacking and manual skills of the Tester, in their years-long experience and in their Analytic attitude, Coding and Exploiting skills - all of this are Fulgur Security's strengths.

A WAPT is not just an automated task and any security tools is useful but not the only thing rely upon on - in practice it's not the solution to the problem.

Our Web Application Penetration Testing is a more deep process that use our Ethical Hacking skills, tools and 0day exploits to evaluate Target in scope. This process is the only that can uncover vulnerabilities on Web Applications difficult or impossible to detect with automated application vulnerability scanning software only.

The biggest difference between us and other realities is that we offer our multi-annual and proven Ethical Hacking expertise and professionalism (maturated in hacking/academic/professional circles) to perform our own high-value Web Application Penetration Testing.



We use our own manual pentesting skills and a patient, well thought-out, and methodical approach. We also use our own WAPT private products developed after years of Penetration Testing activities and our own FS-PT Labs and the better WAPT Scanning tools/suites (both Open and Commercial).



We strictly follow both OWASP and ETHICAL HACKING methodologies & our own personal FULGUR SECURITY approach (born after many years of experience in hacking/intelligence/darknet world and so focused to understand deep any cyber security threats) to perform our WAPT.



As a result of our Web Application Penetration Testing we delivery a Professional Security Report with a deep description of any issues found and their business/risk impact - we also propose Security Remediation and a Remediation Plan for any vulnerabilities found.



Please feel free to CONTACT US to get a quote.