Web Application Penetration Testing Methodology

## Web Application Penetration Testing Methodology

Review Cobalt pentest methodologies for web applications, including microservices.


:::info
Web application pentesting is a structured process in which pentesters simulate real-world attacks to identify security vulnerabilities in web applications. This ensures robust security controls, protects sensitive data, and strengthens overall application security.

:::

Cobalt follows an industry-standard methodology based primarily on the OWASP Application Security Verification Standard (ASVS), the OWASP Testing Guide, and the OWASP Top 10 risks. Cobalt’s approach combines manual and automated testing techniques, using best-in-class security tools to ensure comprehensive coverage.

Penetration testing of a web application includes the following stages: 

* Target Scope Reconnaissance
* Business and Application Logic Mapping
* Automated Web Crawling and Web Scanner Configuration
* Vulnerability Scanning
* Manual Web Vulnerability Tests and Exploit Reviews
* Advanced Security Testing for Modern Web Apps
* Ongoing Security Assessments and Continuous Testing
* Reporting, Triaging, and Retesting


:::info
#### Note

The tools that our pentesters use during each phase may vary from test to test.

:::

During the assessment, Cobalt evaluates application security through [black-box](https://cobalt-io.brainfish.ai/en-us/articles/cobalt-methodologies-LTfYQiQvzV#h-black-box-testing) or [grey-box](https://cobalt-io.brainfish.ai/en-us/articles/cobalt-methodologies-LTfYQiQvzV#h-grey-box-testing) testing methodologies, identifying security flaws in business logic, authentication, authorization, and input handling.

Standard web application pentests include testing of APIs that serve application content. For more in-depth API testing, you can:

* create a dedicated API pentest *or*
* create a combined Web + API pentest

To learn which methodology aligns with your use case, refer to [Selecting Your Test Type: Web or API](https://docs.cobalt.io/methodologies/web-api-test-type).

## Target Scope Reconnaissance

During this phase, Cobalt’s pentesters gather and analyze publicly available information about the target application, including:

* Application URLs and subdomains
* Business logic overview and key functionalities
* Identification of critical assets and high-value targets

Cobalt’s pentesters confirm the following before proceeding:

* The ability to reach and scan the target(s)
* Testing permissions and authentication mechanisms
* Application functionality


:::info
#### Tools

Cobalt pentesters may use reconnaissance scanning tools such as:

* Burp Suite (Professional or Community)
* Zed Application Proxy (ZAP) Scanner
* Curl

:::

## Business and Application Logic Mapping

Cobalt manually reviews the application’s business logic, workflows, and access controls. We analyze the following security aspects:

* User Roles & Access Control Mapping: Reviewing Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) models
* Business Logic Abuse Scenarios: Identifying vulnerabilities that could bypass intended workflows
* Session & Authentication Mechanisms: Evaluating session management and Multi-Factor Authentication (MFA) protections
* Client-Side vs. Server-Side Controls: Ensuring proper enforcement on the server-side


:::info
#### Tools

Cobalt pentesters may use application logic analysis tools such as:

* Burp Suite Pro/Community
* OWASP Zed Attack Proxy

:::

## Automated Web Crawling and Web Scanner Configuration

Automated scans are fine-tuned to maximize detection accuracy while minimizing noise. This phase includes:

* Identifying unauthenticated and authenticated endpoints
* Enumerating input fields, hidden parameters, and dynamic pages
* Ensuring all sections of the application are included in security scans


:::info
#### Tools

Cobalt pentesters may use web crawling and scanning tools such as:

* Burp Suite Pro/Community
* Dirb

:::

## Vulnerability Scanning

### Unauthenticated Scanning

Cobalt’s pentesters assess the application from the perspective of an external, unauthenticated attacker. This phase helps identify vulnerabilities that are exposed to the public or prior to login. In this part of the pentest process, our pentesters:

* Perform automated scanning of publicly accessible endpoints and services
* Enumerate available routes, APIs, and metadata (e.g., error messages, headers)
* Test for improper access controls on restricted resources
* Identify information disclosure through verbose errors, misconfigured headers, or open directories.
* Assess login functionality for brute-force resilience, enumeration vectors, and insecure implementations
* Check for exposed administrative panels, forgotten endpoints, or outdated components

### Authenticated Scanning

Cobalt’s pentesters leverage authenticated sessions to identify security risks that require privileged access. This phase includes:

* Automated scanning using authenticated user sessions
* Verification of session management flaws (e.g., session fixation, JWT misconfigurations)
* Manual business logic validation and anti-automation testing
* Identification of weak authentication mechanisms


:::info
#### Tools

Cobalt pentesters may use vulnerability scanning tools such as:

* WPScan
* SQLmap
* Nuclei
* Burp Suite Pro/Community

:::

## Manual Web Vulnerability Tests and Exploit Reviews

This phase focuses on manual security testing to uncover vulnerabilities that automated scanners miss. It includes:

* Injection Attacks (SQL, XSS, Command Injection, SSRF, etc.)
* Broken Access Controls & IDOR Testing (OWASP Top 10 2021: #1 Risk)
* Session Management Attacks (Session Hijacking, Token Replay, Cookie Tampering)
* Weak Cryptographic Implementations (Improper storage of credentials, weak encryption)
* Modern Web App Attacks (DOM-based XSS, CSP Bypasses, Prototype Pollution)
* Microservices Security (CORS misconfigurations, unauthorized API interactions)
* Business Logic
* Testing the web server for external network vulnerabilities.


:::info
**Note: This is not a full external network penetration test.**

:::


:::info
#### Tools

Cobalt pentesters use multiple testing and exploitation tools, such as:

* Burp Suite Pro/Community (Intruder & Repeater)
* OWASP ZAP
* Dirble
* JWT_Tool (for JWT manipulation testing)
* Corsy (for CORS misconfiguration testing)

:::

## Advanced Security Testing for Modern Web Apps

With the rise of Single Page Applications (SPAs), microservices, and cloud-based applications. Cobalt performs additional security tests, including:

* Client-Side JavaScript Security Audits (Detection of vulnerable dependencies, inline script injection risks)
* WebSockets & Real-Time Communication Testing
* Cross-Origin Resource Sharing (CORS) Exploitability Checks

## Ongoing Security Assessments and Continuous Testing

Cobalt provides real-time security feedback throughout the engagement, enabling:

* Collaboration with developers and security teams
* Ongoing risk analysis & vulnerability triaging
* Proactive remediation guidance

## Reporting, Triaging, and Retesting

Cobalt pentesters report and triage all vulnerabilities during the assessment. You can review details of all [findings](https://cobalt-io.brainfish.ai/en-us/articles/findings-6prkG67iav), in real time, through the Cobalt platform. In these findings, as well as in any [report](https://cobalt-io.brainfish.ai/en-us/articles/reports-YkC2da1roR), Cobalt’s pentesters include detailed information, including:

* Step-by-step remediation guidance
* Recommendations on how to improve your overall security posture

You can [remediate findings](https://cobalt-io.brainfish.ai/en-us/articles/remediate-findings-22WPR0Fnlv) during and after the pentest. Then you can submit findings for retest. Our pentesters test the updated components and retest vulnerabilities to ensure that there are no security-related residual risks.

Web Methodologies

Cobalt Methodologies Overview

API Methodologies

External Network Methodologies

Internal Network Methodologies

Mobile Methodologies

Cloud Configuration Review Methodologies

Cloud Pentest Methodology

Desktop Methodologies

AI/LLM Methodologies

Digital Risk Assessment Methodology

Secure Code Review Methodologies

Methodologies

How to get started with Cobalt

Getting Started

Risk Advisories

Assets are what we pentest

Asset Types

Create an Asset

Assets

Pentests

Overview

Asset Details

Pentest Details

Scope & Test Period

Preparation

Create a Pentest

Pentest Process

Pentest States

Coverage Checklist

Pentest Expectations

Set Up an In-House Pentest

Complete an In-House Pentest (For Pentesters)

In House Pentests

Finding States

Severity Levels

Remediate Findings

Findings

Customize Your Report

Co-branded Reports

Contents of a Pentest Report

Reports

Engagements Overview

Digital Risk Assessment

Secure Code Review

Engagements

Insights

Planning

Attack Surface Monitoring (ASM)

Attack Surface

DAST Scanner Overview

Best Practices

Integrations

Partial Scans: Reduced Scope

Scans

Sequence recorder

Targets

Target Authentication

Extra Hosts

Blackout Period

DAST Scanner

Account Overview

Account Settings

Password Best Practices

Sign In to Cobalt

Troubleshoot Sign-in Issues

User Account

Collaboration Overview

Collaborate on Pentests

Groups

Manage Pentest Collaborators

Manage Notifications

User Roles and Permissions

Collaboration

Organization Overview

Manage Users

Your Cobalt Contract

Configure SAML SSO

How to Configure SAML 2.0 for Cobalt 

SAML Migration: Update Your Configuration

SCIM Provisioning Setup Guide

Configure Organization Settings

Organization

Track Your Credits

Cobalt Credits

Cobalt PtaaS Tiers

Credits

Cobalt Integrations Overview

Troubleshooting

Create Jira tickets for Findings

Send email notifications for Findings from Outlook

Create GitLab tickets for Findings

Create GitHub tickets for Findings

HTTP Connector

Import Assets from Google Sheets

Map Cobalt Pentest Finding Severity to Jira Issue Priority

Modify Jira Issue Summary to contain Pentest Title

Create Azure DevOps Work Item for Findings

Send MS Teams notifications for Findings

How to Guides

Connect your applications

Integration Builder

Synchronize Cobalt Severity Levels with Jira

Push Cobalt Findings to Jira

Jira Cloud Integration

Jira Data Center Integration

Troubleshoot Your Jira Integration

Switching to a New Jira Instance

Integrate Jira with Cobalt

Slack

Microsoft Teams

Webhooks

DefectDojo

Kenna Security

Vanta

Carried Over Findings

Create Test Finding

Cobalt API Overview

Create a Personal Cobalt API Token

Get an Organization Token

Revoke Your Personal Cobalt API Tokens

Create or Modify an Asset

Import Findings to Google Sheets

Cobalt API

Glossary

March 2026

February 2026

January 2026

November 2025 

August 2025

July 2025

June 2025

May 2025

April 2025

March 2025

January 2025

December 2024

November 2024

October 2024

September 2024

August 2024

July 2024

June 2024

May 2024

April 2024

March 2024

January 2024

What's New

Guide

Cobalt Product Documentation

Web Methodologies

Share

Share

Web Methodologies

Share

Share