Web Pentest Methodologies

Review pentest objectives for Web Apps.

Overview of test methodologies for Web assets. Includes microservices.

We use the penetration testing objectives listed on this page. If you want to know more about each methodology, navigate to the Pentest Methodologies page associated with your asset.


The Cobalt team of pentesters do not need access to the underlying web application source code, unless you specify it as a requirement.

When you set up a pentest for a web asset in the UI, you’ll see the following in the Objectives text box:

Coverage of OWASP top 10, ASVS and application logic.

Learn more about these objectives from OWASP:

We look at application logic by working with your app.

Tests of a Web asset include tests of APIs used to populate content on that asset. If you have additional APIs, you may consider setting up:

  • A combined Web + API test
  • A separate test for APIs

We follow an industry standard methodology primarily based on the OWASP Application Security Verification Standard (ASVS) and Testing Guide. Our team takes the following steps to ensure full coverage:

  • Target scope reconnaissance
  • Business and application logic mapping
  • Automated web crawling and web scanner configuration tweaking
  • Automated vulnerability scanning
    • Manual crawling to ensure better coverage
  • Manual web vulnerability tests and exploit reviews
    • Also covers microservices
  • Ongoing assessments
    • Report results to clients through the platform
  • Report, triage, and retest

Web pentest flow

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.

Last modified November.11.2021