project black logo
Penetration Testing

Web Application Testing.

As long as humans are writing code, there will be bugs — some of those bugs just happen to be security vulnerabilities. Let us find them before the attackers do. Trust us to enhance your application's security and protect your critical data.

Assess Your Code

Our Engagement Process.

T-14 days

Scoping

Our scoping process begins with a detailed consultation to understand your unique business requirements and the specific functionalities of your web applications.


A scope of testing is defined to ensure sufficient coverage, along with a testing methodology that is tailored to align with your specific security goals.

T-7 days

Get Ready for Testing

Ahead of testing, we work with you to ensure everything is ready for testing. In grey box tests, this can include setting up user accounts with varying access levels, preparing a test environment where all data flows can be executed, and sharing relevant documentation which may help with more in-depth evaluations.

Start of Testing

Testing starts! Our certified penetration testers manually search for vulnerabilities to uncover security bugs deep in your code base.


Should any critical vulnerabilities be discovered, we communicate these immediately to ensure swift mitigation.

T+14 Days

Report Delivery and Debrief

Upon completion of the testing phase, we deliver a detailed report that outlines all identified vulnerabilities, accompanied by options for remediation.


A key part of our service is the debrief call, where we walk through the report together. This ensures that all findings are fully understood and that the necessary steps for remediation are clearly communicated.

Why Web Application Testing?

Identify Vulnerabilities

Without a mature application security program, non-functional requirements such as security can often be overlooked during the feature development process. Testing can help identify these hidden issues before someone else finds them.

Meet Customer Expectations

Mature buyers expect robust security measures as a standard part of any software platform. Being on the forefoot of these expectations can better demonstrate your commitment to security, enhance your reputation as a reliable software provider.

Security as a Feature

Security isn't just a necessity — it can be seen as a competitive advantage. By highlighting your commitment to regular advanced security audits you can reassure users and differentiate your product in the marketplace.

Educate Development Teams

Penetration testing can often serve as a valuable educational tool for development teams. By remediating vulnerability findings, developers gain insight into the mindset of attackers, enabling them to build more securely in the future.

Our Web Application Testing Methodology

Manual assessment forms the bulk of our penetration testing engagements: at least until our AI overlords replace us.

Project Black's high-level approach to assessing web applications is adapted from Dafydd Stuttard's (Founder/CEO of Portswigger) "The Web Application Hacker's Handbook". This approach is prioritised to focus on discovery of vulnerability classes which are widely agreed upon to be the most common/critical security risks present in web applications.

Listed below are some of Project Black's most important test categories mapped against the OWASP Top 10 and SANS CWE Top 25:

  1. Access Control Testing
    Access control vulnerabilities form a large portion of easily exploitable vulnerabilities that are discovered across Project Black's testing. Testing in this phase will focus on the discovery of authentication bypass vulnerabilities and authorisation issues (lateral, vertical, and cross tenant).

    • A01:2021 - Broken Access Control
    • A07:2021 - Identification and Authentication Failures
    • CWE-862: Missing Authorization
    • CWE-287: Improper Authentication
    • CWE-306: Missing Authentication for Critical Function
    • CWE-269: Improper Privilege Management
    • CWE-863: Incorrect Authorization
    • CWE-276: Incorrect Default Permissions

  2. Input Handling
    Input handling vulnerabilities are typically more difficult to exploit (thereby reducing likelihood of exploitation) however can result in significant impact to the application owner. As such they are evaluated as a part of Project Black's next testing phase.

    • A03:2021 - Injection
    • A08:2021 - Software and Data Integrity Failures
    • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    • CWE-20: Improper Input Validation
    • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-434: Unrestricted Upload of File with Dangerous Type
    • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
    • CWE-502: Deserialization of Untrusted Data
    • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    • CWE-94: Improper Control of Generation of Code ('Code Injection')

  3. Application Hosting/Security Configuration
    The prevalence of PAAS consumption and dependencies on third parties' shifts testing focus in this phase to usage/configuration of said PAAS services and third-party dependencies.

    • A02:2021 - Cryptographic Failures
    • A04:2021 - Insecure Design
    • A05:2021 - Security Misconfiguration
    • A06:2021 - Vulnerable and Outdated Components
    • A09:2021 - Security Logging and Monitoring Failures
    • CWE-798: Use of Hard-coded Credentials

  4. Application Logic & Misc Vulnerability Classes
    Finally, application specific functionality may expose the possibility for additional vulnerability classes like business logic issues.

    • CWE-840: Business Logic Errors
    • CWE-918: Server-Side Request Forgery (SSRF)
    • A10:2021 - Server-Side Request Forgery (SSRF)
    • CWE-352: Cross-Site Request Forgery (CSRF)

Project Black uses the OWASP Testing Guide and internally developed tooling/methodology for specific test case guidance.

Ready for a Pentest Quote?

Simply fill out and submit the form, and we'll provide you with a quote within hours - unless you fill it in at 3am!

Contact Us:

  • Privacy Policy (November 2023)
  • This policy outlines how we collect, use, and safeguard your personal information.
  • Information We Collect & How We Use It
  • Contact Form: When you use our contact form, we collect your name, email, and phone number. This is used to respond to your inquiries
  • Microsoft Clarity, Google & Bing Analytics: We use Microsoft Clarity together with Google & Bing Analytics to collect data such as your page views, and visitor behavior on our site. This helps us understand how our website is used to help us improve our site.
  • We do not share your personal data with any third parties, except as necessary for Microsoft Clarity, Google & Bing Analytics analysis, see their privacy policies for more information.
  • Data Security
  • Contact form information is sent via formspree.io as this is a 100% static site to a shared mailbox in Office 365. Access to this mailbox is restricted to specific individuals within our company to ensure the security of your information.
  • formspree.io helps us archive a copy of the form submission where it is retained for 30 days. If you prefer to contact us directly, you can email us at [email protected] for the same purpose.
  • Your Rights
  • You have the right to access, amend, or request the deletion of your personal data. If you have any privacy-related concerns, questions, or requests regarding your personal information, please contact us at [email protected].
  • Changes to Privacy Policy
  • Our privacy policy may be updated periodically. Any changes will be posted here and communicated to individuals who have previously submitted forms.
  • Jurisdiction
  • This privacy policy adheres to the Australian Privacy Principles.