Application penetration testing

Web penetration testing is focused on finding security vulnerabilities in a target application environment that could let an attacker obtain unauthorized access to the application or exploit its functionality to gain access to sensitive information, underlying OS, or conduct unauthorized actions (i.e. transactions in a banking application). Unlike vulnerability assessment activities, goals of penetration testing include ensuring all vulnerabilities identified are exploitable and can be combined to create an attack chain. However, penetration testing does not focus on achieving specific goals like adversary simulation or Red Team activities, including in scope all potential compromise scenarios.


The application penetration testing activity has a strict predefined scope, that includes all endpoints and parts of the application environment available to an attacker. This ensures that vulnerabilities that may arise when interacting with different parts of the application (i.e. mobile and web APIs) are covered by the scope.

Penetration testing models

Penetration testing activities may be performed with different levels of environment information and access available to the tester. Testing methods and techniques differ based on that level, and it is sometimes recommended to conduct testing in several stages to have a better understanding of the application and potential security risks.

Blackbox testing

Blackbox testing implies no previous knowledge of the application, its components, architecture, and functionality is provided to the tester. Also, no test accounts except for initial access are created for the penetration test. Although this test allows emulation of an outside threat, it is recommended to combine BlackBox testing with other methods to improve testing coverage.

Greybox testing

Greybox testing expands upon BlackBox methods, providing the attacker with client accounts, API documentation and schematics, and a list of application components. This method is the most common, as it allows balancing the effectiveness of the testing with an adequate simulation of a persistent outside threat.

WhiteBox testing

WhiteBox testing implies complete administrative access to all hosts in the environment and all components of the application, including its source code. Although complete security code reviews are not usually performed, knowledge of underlying mechanisms, frameworks, and architecture makes WhiteBox testing the most efficient out of the three methods. Also, it becomes easier to verify the exploitability of discovered flaws, as potentially unseen from outside server-side effects can be identified by the tester.

WhiteBox testing makes it harder to assess identified risks and determine the exploitability of the application from the outside, as the attacker usually does not have similar knowledge about the application environment. However, it is still safer to assume that a persistent attacker has near-infinite time to discover vulnerabilities, and WhiteBox testing can help discover not only the most probable but all potential security flaws.


In order to conduct application penetration tests, we rely on industry-wide accepted best practices and methodologies, mainly:

  • OSSTMM (Open Source Security Testing Methodology Manual)
  • OWASP (Open Web Application Security Project) manuals and guidelines
  • NIST and ISACA penetration testing and auditing standards and guidelines

Relying on industry standards helps us not only to maintain a consistent testing process but to provide our customers with thorough and standard-compliant penetration tests.

Related services:

Case study: Payment processing API penetration testing

Case study: Payment processing API penetration testing

Penetration test: complete compromise of the transaction processing API, which allowed to initiate unsolicited payments on behalf of other registered customers.

Read More

Penetration testing

Penetration testing What problem does Tenendo help to solve? Mitigating information security risks by providing organizations with on-demand independent security testing and accurate threat actor simulations. talk to an expert

Read More
Infrastructure penetration testing

Infrastructure penetration testing

Infrastructure penetration testing focuses on the security of both the application environment and the supporting infrastructure, including third-party services and applications. The testing is performed with a combination of manual and automated techniques, tailored for…

Read More

Need more information?

Post navigation