Huntress Acquires Inside Agent: A New Era for Identity ProtectionFree Trial
Menu
InvestorsCareersBlogAboutAcademySupportContact
LoginSign up
WEB APPLICATION TESTING · OWASP TOP 10 · MANUAL EXPLOITATION · BUSINESS LOGIC

Expose the vulnerabilitiesscanners can't find.Manual web application testing.

Deep manual testing of web applications beyond automated scanning. OWASP Top 10 coverage, server-side exploitation, client-side attacks, authentication bypass, session management vulnerabilities, and supply chain injection.

Request Web App AssessmentView Methodology
Web Application Security

Beyond Automated Scanning

Automated scanners detect pattern-matched vulnerability signatures. Manual adversarial testing models how an attacker thinks — discovering business logic flaws, chained exploits, and trust boundary violations that have no signature.

Detection Coverage Gap
Automated Scanner
Manual Testing
Business Logic Flaws
Scanner: 0%Manual: 100%
Auth Bypass Chains
Scanner: 0%Manual: 100%
Chained Attack Paths
Scanner: 0%Manual: 100%
IDOR / Access Control
Scanner: 0%Manual: 100%
Injection Variants
Scanner: 0%Manual: 100%
Session Vulnerabilities
Scanner: 0%Manual: 100%
Client-Side Attacks
Scanner: 0%Manual: 100%
96%
of business logic vulns missed by scanners
100%
manual testing — zero scanner-only findings
60%
of web apps contain at least one critical vuln
Server-Side
avg CVSS9.2
SQL / NoSQL Injection
CWE-899.8
Server-Side Template Inj
CWE-949.3
XXE Injection
CWE-6118.6
SSRF → Internal VPC
CWE-9189.1
Insecure Deserialization
CWE-5029.8
Industry Standards

OWASP Top 10 Full Coverage

Every OWASP category is tested with manual exploitation techniques, real payloads, and chained attack paths — not automated scanner checks.

#
Vulnerability
CWE
CVSS
Exploit
Prev.
01
Broken Access Control
284
9.1
Easy
94%
02
Cryptographic Failures
311
8.7
Easy
83%
03
Injection
89
9.8
Easy
78%
04
Insecure Design
840
7.5
Moderate
71%
05
Security Misconfiguration
16
7.3
Easy
90%
06
Vulnerable Components
1035
7.8
Moderate
77%
07
Auth & Session Failures
287
8.1
Easy
68%
08
Software & Data Integrity
494
7.2
Moderate
52%
09
Logging & Monitoring Failures
778
6.5
Hard
87%
10
SSRF
918
7.4
Moderate
43%

Select any OWASP category to see attack chain, CWE reference, and MITRE TTP mapping

10/10
OWASP categories covered
3 Crit
critical severity categories
100%
manual exploitation — no scanner
CVSS
v3.1 scoring on every finding
💉
Web Pentest / SQL Injection

SQL Injection Attack Lab

Live demonstration of 4 SQL injection techniques against real application endpoints. Each scenario shows actual payloads, database responses, and extracted data — replicating Spakto engagement findings.

INJECTION TECHNIQUE
TARGET ENDPOINT
GET /api/products?id=
TECHNIQUE
UNION SELECT column enumeration → data exfiltration
sqlmap-ng — UNION-Based InjectionGET /api/products?id=
READY
PAYLOAD:GET /api/products?id=42 UNION SELECT username,password_hash,email,NULL FROM users--
spakto@sqli:~$ Select a technique and press ▶ to begin injection simulation.

// Target DB: MySQL 8.0.34 | App: Node.js/Express | ORM: raw query (no prepared statements)
spakto@sqli:~$
UNION
Integer parameter, no sanitization
UNION SELECT column enumeration
Blind Bool
String parameter, WAF partial bypass
Binary search character extraction via TRUE/FALSE response differences
Time-Based
Stored procedure, response uniform (no bool diff)
Conditional time delays for TRUE/FALSE inference (MSSQL WAITFOR DELAY)
Error-Based
XPATH/EXTRACTVALUE verbose error mode enabled
Force DB engine to embed query results inside error message text
Structured Approach

Eight-Phase Testing Methodology

A repeatable, evidence-based engagement structure. Each phase produces specific artifacts — from attack surface maps to signed-off remediation code.

PHASE 01 OF 08 · Day 1

Reconnaissance

Amass · Shodan · Wayback · Wappalyzer

Passive enumeration of the target application's attack surface without sending active probes. Technology fingerprinting, subdomain discovery, open-source intelligence gathering.

INPUT
Domain / IP scope
Any prior audit reports
Technology stack (optional)
ACTIONS
Passive DNS enumeration
Web archive analysis
Tech stack fingerprinting
GitHub / Shodan OSINT
API endpoint discovery
OUTPUT
Attack surface map
Technology inventory
Scope boundary doc
Risk hypothesis list
Assessment Duration
8–10 Days
Standard web application engagement
Report Delivery
48 Hours
From final test day to draft delivery
Expert Seniority
8+ Years
Specialist on every engagement
Findings Retest
Included
Free retest on all critical/high findings
🔀
Web Pentest / Request Manipulation

HTTP Intercept & Exploit

Intercept, modify, and replay HTTP requests to demonstrate authorization flaws, JWT weaknesses, and server-side trust vulnerabilities. Each scenario shows exactly what changes and why the server accepts it.

🌐BROWSER / CLIENTGET
GET /api/v2/invoices/4721 HTTP/1.1
Authorization:Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo5OTk4fQ...
X-User-ID:9998
Accept:application/json
ORIGINAL RESPONSE
HTTP 200{"invoice_id":4721,"amount":1240.00,"client":"AcmeCorp","status":"paid"}
PROXY
Forwarding
🖥️SERVER / API
GET /api/v2/invoices/1001 HTTP/1.1
Authorization:Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo5OTk4fQ...
X-User-ID:9998 → (unchanged)
Accept:application/json
WHAT WAS CHANGED & WHY IT WORKS
URL path
ORIGINAL
/api/v2/invoices/4721
MODIFIED
/api/v2/invoices/1001
ROOT CAUSE
Changed invoice ID from 4721 (own) to 1001 (other user's). No ownership check server-side.
IDOR — Access to any invoice by ID. Banking details of unrelated customers exposed.
CWE-639
12+
Auth Bypass Vectors
1–3
Avg Requests to Exploit
100%
Coverage: OWASP A01/A02
91%
Manual-Only Discovery
Exploitation Techniques

Attack Vector Deep Dive

Step-by-step exploitation methodology for each vector class — from initial detection to full chain compromise. Every finding includes reproduction steps and CVSS scoring.

CriticalCWE-89MITRE T1190

SQL / NoSQL Injection

9.8
CVSS v3.1
2.3h avg

Unsanitized user input reaches a database interpreter. Union-based, blind boolean, time-based, and error-based techniques used to extract credentials, bypass auth, or achieve RCE via xp_cmdshell / UDF.

Exploitation Chain
1
Detect
id=1 AND 1=1 vs 1=2 — response difference confirms injectable parameter
2
Enumerate
ORDER BY N / UNION SELECT NULL — determine column count and data types
3
Exfiltrate
UNION SELECT username,password_hash FROM users — dump credential table
4
Escalate
LOAD_FILE / xp_cmdshell — OS command execution from DB privilege
Affected Stack
MySQLPostgreSQLMongoDBMSSQL
Reference CVEs
CVE-2023-23752 (Joomla) · CVE-2024-27956 (WordPress)
Avg Time-to-Exploit
2.3h avg
🔐
Web Pentest / Authentication

Auth & Session Security Matrix

26 authentication, session, and OAuth test cases — covering JWT weaknesses, session management flaws, MFA bypass chains, and OAuth authorization vulnerabilities found in production web applications.

12
Vulnerable
5
Warning
7
Secure
🎯
7.3
Avg CVSS (failures)
JWT
Algorithm None Attack
9.1
VULNERABLE
JWT
HS256/RS256 Confusion
8.8
VULNERABLE
JWT
Secret Weak Entropy Brute
7.5
VULNERABLE
JWT
JWK Injection via kid
7.2
WARNING
JWT
Expiry Bypass (nbf/exp)
SECURE
JWT
Signature Strip Test
SECURE
Session
Token Entropy (128-bit min)
7.0
VULNERABLE
Session
Session Fixation
8.1
VULNERABLE
Session
Concurrent Session Limit
4.3
WARNING
Session
Secure + HttpOnly Flags
SECURE
Session
SameSite Cookie Attribute
6.5
VULNERABLE
Session
Session After Logout
7.8
VULNERABLE
MFA
OTP Brute Force Rate Limit
8.3
VULNERABLE
MFA
OTP Length & Entropy
5.4
WARNING
MFA
MFA Bypass via Password Reset
8.6
VULNERABLE
MFA
SMS OTP Interception Risk
6.1
WARNING
MFA
Backup Codes Single-Use
SECURE
MFA
MFA Enrollment Hijacking
SECURE
OAuth
State Parameter CSRF
8.0
VULNERABLE
OAuth
Redirect URI Wildcard
7.4
VULNERABLE
OAuth
PKCE Enforcement
6.8
WARNING
OAuth
Token Leakage in Referrer
6.5
VULNERABLE
OAuth
Scope Restriction Enforce
SECURE
OAuth
Client Credential Storage
SECURE
JWT TAMPER DEMONSTRATION
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI5OTk4IiwiZW1haWwiOiJqb2huQGNvcnAuY29tIiwicm9sZSI6InVzZXIiLCJpYXQiOjE3MTYyMTc2MDAsImV4cCI6MTcxNjMwNDAwMH0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
TOP CRITICAL FINDINGS
Algorithm None Attack9.1
HS256/RS256 Confusion8.8
MFA Bypass via Password Reset8.6
OTP Brute Force Rate Limit8.3
Session Fixation8.1
FAILURE RATE BY CATEGORY
JWT3/6 fail
Session4/6 fail
MFA2/6 fail
OAuth3/6 fail
Technology Integration

AI-Powered Web Testing

Machine learning maps the attack surface. Human experts exploit it. The combination uncovers vulnerabilities that neither approach can identify alone.

spakto-ai-crawler — bash
READY
0 endpoints
Faster Discovery
JS-rendered SPA traversal
API schema inference (OpenAPI / GraphQL)
Hidden parameter detection
Shadow route enumeration
80%
Coverage Increase
Stack-aware SQLi (PostgreSQL vs MySQL syntax)
Framework-specific SSTI gadget chains
Runtime type inference
WAF bypass encoding variants
Deeper Analysis
Risk surface scoring per endpoint
Auth flow & privilege context detection
Payment path auto-prioritization
Business logic context mapping
Detection Coverage Analysis
Vulnerability Coverage by Methodology
Based on OWASP Benchmark v1.2
+ real-world pentest data (2024)
Automated DAST Scanner
Signature-based only
0%
Burp Suite Pro (automated)
Extended active scan
0%
Spakto AI-Augmented Manual
Full attack surface
0%
Business logic bypasses0% scanner → 100% manual
IDOR at application scale<5% scanner → 92% manual
JWT algorithm confusion0% scanner → 100% manual
Coverage Analysis

What Automated Scanners Miss

Empirical coverage data across 18 vulnerability classes. Scanners excel at pattern matching — the highest-impact vulnerabilities require human reasoning, chained logic, and context-aware exploitation.

37%
Scanner Avg Coverage
across 18 vulnerability classes
93%
Manual Expert Coverage
PTES-methodology pentest
+56%
Coverage Delta
more depth with manual testing
8/10
Critical Classes Missed
critical vulns — <50% scanner coverage
Scanner
Manual expert
Critical
Sort:
Vulnerability
Scanner Coverage
Manual Coverage
Delta
Impact
Business Logic Flaws
Business Logic · CWE-840
0%
0%
+84%
High
IDOR / BOLA
Auth / Access · CWE-639
0%
0%
+82%
Critical
Race Conditions
Business Logic · CWE-362
0%
0%
+81%
High
Cache Poisoning
Config / Infra · CWE-436
0%
0%
+77%
Critical
Insecure Deserialization
Injection · CWE-502
0%
0%
+70%
Critical
SSRF
Injection · CWE-918
0%
0%
+69%
Critical
Broken Authentication
Auth / Access · CWE-287
0%
0%
+63%
Critical
Cryptographic Failures
Cryptography · CWE-327
0%
0%
+63%
Critical
Subdomain Takeover
Config / Infra · CWE-923
0%
0%
+61%
High
File Upload Bypass
Business Logic · CWE-434
0%
0%
+56%
Critical
SSTI
Injection · CWE-1336
0%
0%
+55%
Critical
XXE Injection
Injection · CWE-611
0%
0%
+49%
High
CSRF
Auth / Access · CWE-352
0%
0%
+48%
High
CORS Misconfiguration
Config / Infra · CWE-942
0%
0%
+41%
High
Path Traversal
Injection · CWE-22
0%
0%
+40%
High
SQL Injection
Injection · CWE-89
0%
0%
+29%
Critical
Open Redirect
Client-side · CWE-601
0%
0%
+29%
Medium
Cross-Site Scripting
Client-side · CWE-79
0%
0%
+23%
High
Top Automation Blind Spots
1Business Logic FlawsBusiness Logic
+0%
2IDOR / BOLAAuth / Access
+0%
3Race ConditionsBusiness Logic
+0%
4Cache PoisoningConfig / Infra
+0%
5Insecure DeserializationInjection
+0%
6SSRFInjection
+0%
Coverage By Category
Injection(6)
0%0%
Auth / Access(3)
0%0%
Business Logic(3)
0%0%
Config / Infra(3)
0%0%
Cryptography(1)
0%0%
Client-side(2)
0%0%
Scanner
Manual
Methodology Note — Coverage percentages represent detection rates across real-world assessment data aggregated from 400+ web application engagements (2022–2025), benchmarked against OWASP WSTG v4.2 test cases. Scanner data reflects combined output of DAST tools (Burp Suite Pro, OWASP ZAP, Nuclei). Manual coverage uses PTES + OWASP Testing Guide methodology with a qualified security engineer.
Our Competitive Edge

Why Teams Choose Spakto

Not scanner output repackaged. Not offshore commoditized testing. Every engagement is staffed with certified specialists who approach your application as an adversary would.

47+
web app engagements completed
94%
finding accuracy rate
8.9
average CVSS on findings
<48h
report delivery from kickoff
OWASP-Certified Experts
GWAPT · OSCP · OSWE
100%
certified specialists on every web engagement
See specifics
Zero False Positives
Manual verification
0%
false positive rate — every finding manually confirmed
See specifics
Business Logic Testing
Scanner-blind coverage
100%
of business logic test cases are manual-only
See specifics
Compliance-Aligned Output
PCI-DSS · OWASP · ISO 27001
3+
compliance frameworks covered in every assessment
See specifics
Live Threat Assessment

Your application has attack paths
waiting to be found.

Manual web application testing surfaces what automated scanners structurally cannot detect — business logic bypasses, chained exploits, and authentication flaws that require human adversarial thinking to uncover.

spakto-scanner — web-assessment-v2.4.1 — app.target.com
READY
spakto@scanner:~$ Waiting for section to load…
0 / 21 checks
Application Risk Score
0/ 100
Assessing…
Findings by Severity
Critical
0
High
0
Medium
0
Low
0

Frequently Asked Questions

Frequently asked
questions.

Still have questions?
Our security engineers answer within one business day.
Ask a question