Bulletproof's Web Application Penetration Testing Service is a professional security testing service that assesses the security of web applications and APIs through both authenticated (white box) and unauthenticated (black box) testing approaches. The service is delivered by CREST-certified penetration testers who follow a 6-step methodology: scope definition and pre-engagement, intelligence gathering and threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. Testing methodologies include Static Application Security Testing (SAST) for source code reviews and Dynamic Application Security Testing (DAST) to simulate real-world attacks on running applications. Both methodologies are applicable to web applications and APIs, and are aligned with OWASP best practices. Key areas of testing include: - Input validation (SQL injection, XSS, CSRF) - API security testing - Secure file upload functionality - Encryption and data transport security - Error handling and information disclosure - Security patching and outdated component detection Testing covers the top 10 most common web application vulnerabilities including improper access controls, stored/reflected XSS, SQL injection, CSRF, SSRF, CSV injection, and arbitrary/unrestricted file upload. Results are delivered through a threat dashboard that prioritises findings and provides remediation guidance, along with a comprehensive report containing an executive summary and technical breakdown. Continuous automated security testing is also available. Clients who book a web app pen test receive 12 months of free vulnerability scanning on up to 8 IP addresses.