Website Penetration Testing Assessment (W/PTA)

Website Penetration Testing Assessment (W/PTA)

This assessment is focused specifically on the client’s website, utilizing client-supplied application credentials (White Box Testing) as well as uncredentialed (Black Box Testing) to gain access for the purpose of testing the website for vulnerabilities. CastleGarde’s methodology of website penetration testing of your application consists of our discovery service which addresses visibility gap by creating a scope of public-facing web applications. CastleGarde’s next process is an application risk assessment which quickly identifies exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25. CastleGarde then performs a comprehensive deep scan with customized scripts that will identify web application vulnerabilities using both authenticated and non-authenticated scans and includes looking for attack vectors noted in the OWASP Top 10 and SANS Top 25.

Three distinct application tests are performed by CastleGarde


Dynamic application security testing

Automated web application vulnerability scanners are used as tools which crawl and scan web applications for the most common application security vulnerabilities.


Static application security testing

Static application security testing includes a complete analysis of the application source code. CastleGarde will analyze the application(s) source code, byte code, and binaries to identify best coding practices which are suggestive of security vulnerabilities within the application(s) itself.


Manual application security testing

Automated security testing authentication and authorization functionality can be overlooked by web application scanners. In these circumstances, CastleGarde will perform manual testing in order to get adequate details regarding vulnerabilities within the application. OWASP provides an exhaustive list of test cases that can be leveraged to perform manual testing in areas which may not be covered by automated application security scanners. Refer to for further details.

Test for the following vulnerabilities

  • Authentication
  • Authorization and Access Control
  • Session Management
  • Data and Input Validation
  • Injection Flaws
  • Buffer Overflows
  • Error Handling
  • Logging
  • Remote Administration
  • Web Application and Server Configuration