top of page



Anchor 2


Web applications are highly complex and the threats against them are constantly evolving in both their impact and sophistication.


Web Application Penetration testing or ‘web app pen testing’ is the most effective way of demonstrating that exploitable vulnerabilities within your company’s websites have been identified, allowing suitable remediations to be applied.

TripleSEC's Web Application Penetration Tests, at a minimum, look for the following common vulnerabilities:

  • Injection Vulnerabilities

  • Broken Authentication and Session Management

  • Cross-Site Scripting (XSS) Vulnerabilities

  • Insecure Direct Object References

  • Security Misconfigurations

  • Sensitive Data Exposure

  • Missing Function Level Access Control

  • Cross-Site Request Forgery (CSRF) Vulnerabilities

  • Using Components with Known Vulnerabilities

  • Unvalidated Redirects and Forwards

In conducting the Web Application Pen Test, TripleSEC may have zero knowledge of the application, full knowledge or partial knowledge, all depending upon the gaols of the assessment. Additionally, credentials with different levels of privileges may be granted to the tester in order to conduct role based testing in different environments, authorization levels, and also test the security of the session management.

It is essential to set Web Application Penetration Testing Engagement Goals before starting any testing. TripleSEC begins all Web Application Penetration Testing engagements by working with the executive sponsor to establish clear goals of the Web App Penetration Test. These Web App Pen Test engagement goals may include:

  • Discovering potential weaknesses within the web application

  • Access to specific sensitive information

  • Access to back-end databases

  • Access to back-end systems

  • Testing intrusion detection systems

  • Testing employee response to and analysis of attacks

  • Testing a specific attack scenario

In working with the executive sponsor of the Web Application Penetration Testing, Rules of Engagement will also be discussed and set. These Pen Test Rules of Engagement may include:

  • Times of Web App Penetration Testing

  • Days the Web Application Pen Testing may occur

  • Types of attacks allowed during the Web App Pen Testing

  • Types of attacks disallowed i.e. Denial of Service (DoS) attacks during the Web Application Penetration Testing

  • When to stop Web Application Pen Testing and provide notification of a successful breach

Web Application Penetration Testing is a requirement for many regulations and standards as well as an important part of any organization's best practices security strategy. Web App Pen Testing is customized where required such as with PCI DSS to follow all the requirements and controls necessary.

All Web Application Penetration Testing details are placed in a quality report deliverable that can be used as attestation or evidence.

On average, a system is attacked within 15 minutes of being placed on the Internet.

  • Applications commonly direct traffic through http so as to bypass firewall rules.

  • Malware may unknowingly be downloaded automatically.

  • Websites may be infected via cross-site scripting (XSS), code injection, and other hacking techniques.

  • Website traffic may be hijacked by hackers.

  • Hijacked corporate websites may be blacklisted by major search engines causing a loss in reputation and business.

Anchor 1



Contact Us Today.

Whether you are looking for general information or have a specific question, we want to help.


Tel: 650-963-5015

bottom of page