Web Penetration Test


The overall purpose of a penetration test is to assess the security level of the application. This achieves multiple goals:

  • Identification of vulnerabilities by a trusted third party before they are exploited by attackers
  • Demonstrate your level of security to your customers / partners
  • Meet legal, contractual, regulatory requirements for obtaining certification, for compliance commitments
  • Gain and maintain trust
  • Keep control on your cyber risks

Methodology and steps

The first step is the definition of the terms of the audit, its objectives, its scope, but also the choice of dates, speakers, format of deliverables and types of tests as well as the establishment of prerequisites.

In a second step, the auditors carry out their tests. If a critical vulnerability is discovered during the audit, the client's contact is notified immediately. Once the tests are complete, the auditors focus on writing the audit report. The report includes an executive summary, the list of flaws found and for each of them the description, observations and associated recommendations.

Finally, a closing meeting is set to present the results of the audit, and the deliverables are given to the sponsor. It will be possible to schedule a cross-audit afterwards to ensure that the corrections made are sufficient and not circumventable.

The tests

The penetration test will to check the following points (non-exhaustive list) on the application itself or on the infrastructure hosting the website:

  • Partitioning of rights / users
  • Authentication and session management
  • Access control
  • Exposure of sensitive data
  • Configuration defects
  • Injections and application flaws
  • Bypassing security mechanisms
  • Components and systems not up to date
  • Accessible and poorly secured services
  • Logical flaws


The following vulnerabilities (non-exhaustive list) are potentially reported during our penetration tests:

  • Code Execution/Commands (RCE)
  • Insecure file upload
  • SQL injections (SQLi)
  • Cross Site Scripting (XSS)
  • Server Side Request Forgery (SSRF)
  • Manipulation of external XML entities (XXE)
  • No silos between users
  • Weak password policy
  • Default or weak passwords
  • Directory listing
  • Known Vulnerabilities (CVE)
  • SSL misconfiguration
  • Cross Site Request Forgery (CSRF)
  • Path traversal
  • Leakage of sensitive information
  • Open redirect


Depending on the type of audit, SEC-IT relies on different recognized standards, among which:

Other pentest services

Infrastructure Penetration Test

To assess the security of your IT infrastructure and network: workstations, servers, network equipment, file shares, Active Directory.

Mobile Application Penetration Test

To assess the security of your Android apps

Cloud Penetration Test

To assess the security of your AWS, Azure, M365, GCP Cloud environments