Web Pentest Methodologies
Review pentest objectives for Web Apps, including microservices.
Our pentesters test your assets rigorously.
We use the penetration testing objectives listed on this page. If you want to know more
about each methodology, navigate to the Pentest Methodologies page associated with your asset.
Web
The Cobalt team of pentesters do not need access to the underlying web application source code,
unless you specify it as a requirement.
When you set up a pentest for a web asset in the UI, you’ll see the following in the
Objectives text box:
Coverage of OWASP top 10, ASVS and application logic.
Learn more about these objectives from OWASP:
We look at application logic by working with your app.
Tests of a Web asset include tests of APIs used to populate content on that asset. If you
have additional APIs, you may consider setting up:
- A combined Web + API test
- A separate test for APIs
Methodology Details
We follow an industry standard methodology primarily based on the OWASP Application Security
Verification Standard (ASVS) and Testing Guide. In support, we use a number of manual and automated
tools, described in the following steps, to ensure full coverage.
Select the key for more information on each step.
Target scope reconnaissance
Based on the Pentest Brief prepared by the client, Cobalt pentesters search for
information about the targets and investigate the scope. This information
includes:
- Web application URLs
- Descriptions of application logic
- Functions critical to the business
Pentesters then confirm that they can:
- Reach and scan the targets
- Test the functionality of the application
Our pentesters may use reconnaissance scanning tools such as:
- Recon-ng
- Dnscan
- Dirble
- Aquatone
- Masscan
Business and application logic mapping
Pentesters manually examine the target applications to map:
- Business functions
- Workflows
- Underlying processes
They also build a matrix of the access controls within the application based on
supported roles and actions. Our pentesters use this matrix to plan further security
tests, which determines:
- How well these controls are enforced
- How an attacker can bypass these controls
Our pentesters may use application logic analysis tools such as:
- Burp Suite Pro/Community
- Postman
- OWASP Zed Attack Proxy
Automated web crawling and web scanner configuration tweaking
Our pentesters use both commercial and freeware security tools to assess the targeted
application. They’ll modify these tools as needed, to make sure that scanning can find
security issues on every segment of your asset, and the application as a whole.
In addition, our pentesters run automated crawls to:
- Identify any pages are available to unauthenticated users
- Determine the full site tree
Our pentesters may use web crawling and scanning tools such as:
- Nmap
- Burp Suite Pro/Community
- Nikto
Authenticated vulnerability scanning / Manual crawling
In this part of the pentest process, our pentesters:
- Use automated tools for web application crawling
- Verify the results manually
- Run manual crawling tests for better coverage
- Verify authentication on protected areas of the application
With automated scanning, our pentesters:
- Assess the application using the authenticated sessions where applicable
Our pentesters use extreme caution to minimize impact on the targeted system.
They may use vulnerability scanning tools such as:
- WPScan
- Burp Suite Pro/Community
- sqlmap
Manual web vulnerability tests / exploit reviews / microservices
Cobalt pentesters use tool-assisted manual tests to identify and analyze the
following parts of the app for vulnerabilities:
- Functionality
- Business logic
- Deployment
The assessment identifies published vulnerabilities, including those listed in the
- OWASP Top 10
- CVE reports or tracked by CVE entries
Our pentesters also consider the workflows and business logic into consideration
when they identify vulnerabilities in the application.
The assessment includes tests for vulnerabilities such as:
- Injection attacks that probe the robustness of server-validation routines
- Session management flaws that could allow user impersonation
- Flaws in access control that expose data or enable users to gain elevated privileges
If the application includes microservices, our pentesters focus on interactions
between different systems. They examine the implementation of:
- Access control management
- Cross-Origin Resource Sharing (CORS)
We thoroughly examine:
- Access control management
- Cross-Origin Resource Sharing (CORS) implementation
- Vulnerabilities outlined in the OWASP API Security Project
For each finding, pentesters determine the risk associated with each issue by:
- Demonstrating how the issue could be exploited
- Evaluating its impact within the context of the business function, data, and
users of the asset
- Setting up a Proof-of-Concept exploitation to:
- Demonstrate the presence of the vulnerability
- Minimize potential adverse impact to the application, its data, and its underlying systems
Our pentesters use multiple testing and exploitation tools such as:
- Burp Suite Pro/Community
- OWASP ZAP
- Dirble
- Nuclei
Ongoing assessments
Our pentesters report their findings, in real time, through the Cobalt platform.
They also:
- Assess all risks
- Recommend steps for remediation
You’re welcome to communicate with our pentesters for each of their findings.
Report, triage, and retest
Our pentesters report and triage all vulnerabilities during the assessment. You
can review details of all findings, in real time, through the Cobalt platform.
In these findings, as well as in any report, our pentesters include detailed
information on how you can:
- Remediate each finding
- Improve your overall security posture
If you remediate findings during the supported pentest period, our pentesters
can retest your updated components against each discovered vulnerability.

Additional Requirements
You’re welcome to define additional test objectives. If you follow best practices other than
OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a
“well-known” security practice, our pentesters probably already know them!
If you have special instructions for a pentest,
add them later, under Special Instructions.
Last modified December.12.2022