Web Application Penetration Testing — Complete Guide for Indian Businesses 2026
Your web application is publicly accessible to the internet — which means it is also accessible to every threat actor on the planet. Web applications are the single most targeted attack surface in modern cyber operations. According to OWASP and Verizon DBIR data, over 40% of all data breaches involve web application attacks. In India, where digital services adoption has surged across BFSI, e-commerce, healthcare, and government, the exposure is immense.
Web Application Penetration Testing (WAPT) is the systematic process of testing a web application by simulating real-world attacks to identify exploitable vulnerabilities before malicious actors do. This guide explains what WAPT involves, the OWASP Top 10 vulnerabilities, testing methodology, what you receive as deliverables, and how to choose the right provider for your Indian business in 2026.
What is Web Application Penetration Testing?
Web application penetration testing is a security assessment in which trained security professionals actively attempt to compromise a web application — its front end, back end, APIs, authentication mechanisms, business logic, and underlying infrastructure — using the same techniques a real attacker would use.
Unlike automated vulnerability scanning (which runs tools to identify known vulnerabilities without exploiting them), web app penetration testing combines automated scanning with manual testing to identify complex vulnerabilities, business logic flaws, and chained attack paths that automated tools cannot detect.
The output is a detailed report identifying vulnerabilities with their severity, exploitation proof-of-concept evidence, business impact analysis, and specific remediation guidance.
Why Indian Businesses Need Web Application Penetration Testing
- India saw a 200%+ increase in web application attacks between 2022 and 2025 (CERT-In annual reports)
- Indian fintech applications, banking portals, and government e-services are specifically targeted by financially motivated threat actors
- SQL injection, broken authentication, and insecure APIs remain prevalent in Indian web applications, particularly those built without formal security review during development
- Regulatory mandates: RBI requires web application VAPT for internet-facing banking applications; SEBI CSCRF requires VAPT for stockbroker and AMC web portals; CERT-In empanelled VAPT is often a prerequisite for government contracts
- ISO 27001 and PCI DSS both require periodic penetration testing of applications in scope
OWASP Top 10:2021 — The Definitive Vulnerability Reference
The Open Web Application Security Project (OWASP) Top 10 is the industry-standard reference for the most critical web application security risks. The current version is OWASP Top 10:2021. Every web application penetration test should cover all 10 categories:
A01:2021 — Broken Access Control
The most prevalent vulnerability category, moving to the top position in 2021. Occurs when users can act outside of their intended permissions — accessing other users’ accounts, viewing sensitive files, modifying data without authorisation, or accessing administrative functions. Examples: insecure direct object references (IDOR), missing function-level access control, privilege escalation.
A02:2021 — Cryptographic Failures
Previously called “Sensitive Data Exposure.” Failures in cryptography that result in exposure of sensitive data. Includes transmitting data in clear text over HTTP, using weak or deprecated encryption algorithms (MD5, SHA-1, DES), improper key management, and unencrypted storage of passwords or payment card data.
A03:2021 — Injection
SQL injection, OS command injection, LDAP injection, and other injection attacks occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection remains one of the most impactful vulnerabilities — a single SQLi vulnerability can expose an entire database. Indian payment and e-commerce applications remain frequently vulnerable.
A04:2021 — Insecure Design
A new category in 2021, addressing security design flaws at the architecture level — not implementation bugs, but missing or ineffective security controls built into the design. Requires threat modelling and security design review during the development phase.
A05:2021 — Security Misconfiguration
Improper configuration of web servers, application frameworks, cloud services, or security components. Examples: default credentials, verbose error messages revealing stack traces, unnecessary enabled features or services, missing security headers (CSP, HSTS, X-Frame-Options), misconfigured S3 buckets or cloud storage.
A06:2021 — Vulnerable and Outdated Components
Using libraries, frameworks, or other software components with known vulnerabilities. This includes outdated versions of jQuery, Log4j (Log4Shell), OpenSSL, WordPress plugins, and application server software. Many Indian applications continue to run years-old versions of open-source components with critical CVEs.
A07:2021 — Identification and Authentication Failures
Previously “Broken Authentication.” Weaknesses in authentication and session management. Includes permitting brute force attacks, allowing weak passwords, insecure “forgot password” flows, improper session token generation, session fixation, and missing MFA on sensitive functions.
A08:2021 — Software and Data Integrity Failures
New in 2021. Relates to code and infrastructure that does not protect against integrity violations — insecure CI/CD pipelines, insecure deserialisation, and reliance on plugins/libraries from untrusted sources without integrity verification.
A09:2021 — Security Logging and Monitoring Failures
Without adequate logging and monitoring, attacks go undetected. This includes insufficient logging of authentication events, failure to monitor logs for suspicious activity, and storing logs in formats that are easily tampered with. This vulnerability directly enables the long dwell times seen in successful breaches.
A10:2021 — Server-Side Request Forgery (SSRF)
Added to the OWASP Top 10 in 2021 as a standalone category. SSRF vulnerabilities allow attackers to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing — potentially accessing internal cloud metadata services, internal APIs, or internal network resources that are not internet-facing.
Web App Penetration Testing Methodology
Phase 1: Reconnaissance and Information Gathering
Passive and active information gathering about the target application. Includes subdomain enumeration, technology stack identification (server software, frameworks, CMS, programming language), API endpoint discovery, exposed credentials in GitHub repositories, and open-source intelligence (OSINT) gathering about the application.
Phase 2: Application Mapping
Systematic mapping of all application functionality — all pages, forms, input fields, authentication mechanisms, user roles, file upload functions, and API endpoints. Proxy tools like Burp Suite intercept all traffic between the browser and the server to build a comprehensive application map. This phase ensures complete coverage — no functionality is missed in testing.
Phase 3: Authentication and Authorisation Testing
Testing all authentication mechanisms for weaknesses: password policy enforcement, account lockout, username enumeration, MFA bypass, password reset flow, session token entropy and management, cookie security flags (HttpOnly, Secure, SameSite), and authorisation controls between different user roles.
Phase 4: Input Validation and Injection Testing
Testing all user-controlled input fields for injection vulnerabilities. This includes SQL injection (manual and automated with sqlmap), OS command injection, Server-Side Template Injection (SSTI), XML External Entity injection (XXE), and Cross-Site Scripting (XSS) — both reflected and stored.
Phase 5: Session Management Testing
Analysis of session token generation, transmission, storage, and termination. Testing for session fixation, session token predictability, CSRF (Cross-Site Request Forgery), inadequate session expiry, and insecure cookie configuration.
Phase 6: Business Logic Testing
This is where human expertise matters most and automated tools fail. Business logic testing examines whether the application correctly enforces its intended business rules. Examples: can a user purchase an item for a negative price? Can a user skip steps in a multi-step checkout process? Can a low-privilege user access high-privilege functions by manipulating request parameters?
Phase 7: API Security Testing
Modern applications are heavily API-driven. API testing covers REST and GraphQL endpoints for: broken object-level authorisation (BOLA/IDOR), excessive data exposure, lack of resource limiting (rate limiting, size limits), broken function-level authorisation, and injection vulnerabilities in API parameters.
Phase 8: Reporting
Compilation of all findings into a structured penetration test report. Each vulnerability is documented with technical evidence, business impact analysis, CVSS score, and actionable remediation guidance. The report includes both an executive summary and detailed technical findings.
Automated Scanning vs Manual Penetration Testing
| Aspect | Automated Scanning | Manual Penetration Testing |
|---|---|---|
| Business logic flaws | Cannot detect | Detected through manual testing |
| False positives | High — requires manual verification | Low — each finding is verified |
| Complex attack chains | Cannot chain vulnerabilities | Testers can chain multiple low-severity issues into critical findings |
| Authenticated testing | Limited | Full authenticated testing across all user roles |
| Coverage consistency | High — same checks run every time | Varies by tester — quality depends on skill |
| Regulatory acceptance | Not accepted as “penetration test” for RBI/SEBI | Accepted for regulatory compliance |
| Cost | Low | Higher — reflects skilled human time |
The conclusion is clear: automated scanning is a useful supplement to manual testing, but it cannot replace it. Regulators like RBI and SEBI explicitly require manual penetration testing by qualified personnel — not automated scans alone.
Black Box vs Grey Box vs White Box Testing
- Black Box: Tester has no prior knowledge of the application — simulates an external attacker with no insider information. Good for testing the external-facing attack surface, but may miss internal vulnerabilities due to limited access.
- Grey Box (recommended): Tester has partial information — typically user-level credentials, basic application documentation, and perhaps access to one or more user roles. Most realistic simulation of a compromised user account or insider threat. Provides the best balance of realistic attack simulation and testing depth.
- White Box: Tester has full access — source code, architecture diagrams, credentials for all roles, infrastructure documentation. Provides the most comprehensive coverage but requires more time and is not a simulation of a blind external attacker.
Tools Used in Web Application Penetration Testing
- Burp Suite Professional: The industry-standard intercepting proxy and web application testing platform. Used for manual testing, parameter tampering, session analysis, and custom attack payloads.
- OWASP ZAP: Open-source alternative to Burp Suite. Useful for automated scanning and as a proxy for manual testing.
- sqlmap: Automated SQL injection detection and exploitation tool. Used to confirm and exploit SQL injection vulnerabilities found during manual testing.
- nikto: Web server scanner that identifies common misconfigurations, outdated software, and known vulnerabilities in web servers.
- ffuf / gobuster: Content and directory discovery tools that enumerate hidden paths, files, and API endpoints not visible in normal application navigation.
- nuclei: Template-based vulnerability scanner — rapidly checks for thousands of known CVEs and misconfigurations.
- Subfinder + amass: Subdomain enumeration tools used in reconnaissance phase.
What Web Application Pentest Deliverables Include
A quality WAPT engagement from a CERT-In empanelled provider should deliver:
- Executive Summary: Non-technical overview of overall security posture, most critical findings, and business risk
- Risk Rating Summary: Count of Critical, High, Medium, Low, and Informational findings with CVSS scores
- Detailed Findings: For each vulnerability: vulnerability name, affected URL/parameter, evidence (screenshots, proof-of-concept), CVSS score, OWASP category, business impact, and step-by-step remediation guidance
- OWASP Top 10 Coverage Matrix: Summary of which OWASP categories were tested and findings in each
- Remediation Guidance: Specific, actionable remediation for each finding
- Retest: After remediation, a retest of all reported findings to verify successful remediation (included in reputable providers’ engagements)
- Letter of Attestation: A formal letter confirming the VAPT was conducted by a CERT-In empanelled organisation — required for regulatory submissions
Cost of Web Application Penetration Testing in India
| Application Complexity | Description | Typical Cost (India) | Duration |
|---|---|---|---|
| Simple / Static | Brochure site, simple form, under 50 pages | ₹25,000 – ₹60,000 | 2–3 days |
| Medium Complexity | E-commerce site, SaaS app, 50–200 pages, user authentication | ₹75,000 – ₹1,50,000 | 5–8 days |
| High Complexity | Banking portal, fintech app, 200+ pages, multiple user roles, APIs | ₹1,50,000 – ₹3,50,000 | 10–15 days |
| Enterprise Application | Core banking system, large SaaS platform, ERP, complex API ecosystem | ₹3,00,000 – ₹10,00,000+ | 15–30+ days |
| API-only Testing | REST/GraphQL API assessment only | ₹40,000 – ₹1,50,000 | 3–7 days |
Regulatory Requirements for Web Application Penetration Testing in India
- RBI (Reserve Bank of India): Banks and NBFCs are required to conduct VAPT of internet-facing applications under RBI Master Direction on IT 2023. Results must be reported to the board and kept available for RBI inspection.
- SEBI CSCRF: QREs and MIIs must conduct web application VAPT at least annually on all internet-facing applications, conducted by CERT-In empanelled organisations.
- CERT-In Empanelment Requirement: For regulatory compliance purposes in India, the VAPT provider must be on the CERT-In empanelled organisations list.
- ISO 27001:2022: Control A.8.8 requires management of technical vulnerabilities, including periodic penetration testing.
- PCI DSS v4.0: Requirement 11.4 mandates penetration testing at least annually and after any significant infrastructure or application change.
MDIT Services Web Application Penetration Testing
MDIT Services is a CERT-In empanelled organisation providing expert web application penetration testing for Indian businesses across BFSI, e-commerce, SaaS, healthcare, and government sectors. Our WAPT team holds OSCP, BSCP (Burp Suite Certified Practitioner), and CEH certifications and conducts comprehensive manual-led testing aligned with OWASP Testing Guide v4.2.
What sets MDIT apart:
- 100% manual testing — no report-padding from unverified automated scan output
- Business logic testing as standard — not an afterthought
- Free retest after remediation
- Letter of Attestation for regulatory submissions
- Compliance-mapped reports for RBI, SEBI, ISO 27001, and PCI DSS requirements
- Developer-friendly remediation guidance with code-level examples where applicable
Contact MDIT Services for a web application penetration testing quotation and turnaround timeline.
Call us: +91-11-XXXX-XXXX | Email: vapt@mditservices.in | Website: mditservices.in
