Web Application Penetration Test.
Full-coverage application assessment when source-assisted access is not available.
What it covers.
- Item 01
External application surface against the OWASP Top 10 and the application's documented role boundaries.
- Item 02
Session, authentication, and authorization paths reachable without source access.
- Item 03
Misconfiguration of the application server, reverse proxy, and TLS where in scope.
What we need from you.
- Item 01
Application URL, account-creation flow or per-role credentials, and a brief role description.
- Item 02
Authorization to test before any traffic is sent.
- Item 03
A stakeholder contact for emergency stop and account-lockout recovery.
How it runs.
- Item 01
Pre-engagement intake, mutual NDA, and the legal-instrument set apply identically to gray-box engagements.
- Item 02
Active testing runs against the agreed environment without source-assisted context.
- Item 03
Findings are validated manually before any severity is assigned.
- Item 04
Report is reviewed against a defensibility checklist before delivery.
What the deliverable is.
- Item 01
Executive summary, per-finding write-ups, and an evidence pack at the same standard as gray-box engagements.
- Item 02
Explicit note in the executive summary that testing was performed without source-assisted access.
What Veyra will not claim.
- Item 01
We will not say the application is secure.
- Item 02
We will not represent black-box coverage as gray-box coverage.
Read a redacted sample report, or describe the system you want assessed.
Engagement requests receive a reply from a named assessor within one business day.