Web application security audit (OWASP Top 10)

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
Web application security audit (OWASP Top 10)
Complex
~3-5 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

Conducting web application security audit (OWASP Top 10)

Security audit following OWASP methodology is a systematic check of the application for vulnerabilities from the list of most critical risks. Includes automated scanning, manual code and business logic analysis, authentication and authorization testing.

OWASP Top 10 (2021): what to check

ID Category Examples
A01 Broken Access Control IDOR, privilege escalation
A02 Cryptographic Failures weak algorithms, exposed data
A03 Injection SQL, NoSQL, OS, LDAP
A04 Insecure Design no rate limit, predictable tokens
A05 Security Misconfiguration default passwords, verbose errors
A06 Vulnerable Components outdated dependencies with CVE
A07 Auth Failures weak passwords, unsafe sessions
A08 Software & Data Integrity insecure deserialization, CI/CD attacks
A09 Logging Failures insufficient logging
A10 SSRF requests to internal resources

Phase 1: Reconnaissance and mapping (3–5 days)

Inventory all application entry points:

nmap -sV -sC -p- target.example.com

ffuf -w /usr/share/wordlists/dirb/big.txt \
     -u https://target.example.com/FUZZ \
     -mc 200,301,302,403

katana -u https://target.example.com -jc -d 3

whatweb https://target.example.com
wappalyzer https://target.example.com

Result: complete map of endpoints, technologies used, component versions.

Phase 2: Automated scanning (1–2 days)

zap-cli quick-scan --self-contained \
    --start-options '-config api.disablekey=true' \
    https://target.example.com

nikto -h https://target.example.com -ssl -output report.html

nuclei -u https://target.example.com \
       -t cves/ -t misconfigurations/ \
       -severity critical,high,medium

semgrep --config=p/owasp-top-ten ./src

Phase 3: Authentication and authorization testing (3–5 days)

IDOR — object ID substitution:

GET /api/users/1337/profile      → 200 OK (another user's profile)
GET /api/orders/9999/details     → should return 403, not 200

JWT vulnerabilities:

  • Algorithm none — accept without signature
  • RS256 → HS256 — forge with public key
  • Weak secret — brute force

Phase 4: Injections and client-side attacks (3–4 days)

sqlmap -u "https://target.com/search?q=test" \
       --level=5 --risk=3 --dbs --batch

dalfox url "https://target.com/search?q=test" \
       --output xss_report.txt

Phase 5: Configuration analysis (1–2 days)

testssl.sh --full https://target.example.com
sslyze --regular target.example.com

npm audit --audit-level=moderate
composer audit
pip-audit

gitleaks detect --source . --report-format json
truffleHog git file://. --only-verified

Phase 6: Business logic analysis (2–3 days)

Manual analysis cannot be automated:

  • Bypassing payment limits (negative amounts, race conditions)
  • Promo code and discount manipulation
  • Bypassing email verification
  • Insecure direct links to files
  • Password reset without old token invalidation

Audit timeline

Application Type Duration
Landing / corporate site 3–5 days
SaaS with authorization 7–14 days
Financial app / marketplace 14–21 days
Re-testing after fixes 2–3 days