Penetration Testing

Web application penetration testing, and every app in between.

Modern apps are sprawling attack surfaces: web front ends, mobile clients, and the APIs behind them. SubRosa tests all of them for the business-logic abuse and access-control flaws scanners miss, focused on exploitable risk and real business impact.

Web · Mobile · API · Source code · OWASP Top 10

Web app penetration testing, defined

What is web application penetration testing?

Web application penetration testing is a hands-on security assessment of an application, its front end, APIs, authentication, and business logic, to find the vulnerabilities an attacker could exploit: broken access control, injection, authentication bypass, and logic abuse like account takeover. Unlike an automated scan, it tests the flows and edge cases a real attacker would, across roles and states, and proves what data or actions they could actually reach.

What we test

Web, mobile, and the APIs behind them.

Specialized testing across every application type and layer in your environment.

Web application testing

Full OWASP Top 10 coverage plus authentication, session, and business-logic testing: account takeover, privilege escalation, and data exposure across roles and states.

API security testing

REST and GraphQL APIs tested against the OWASP API Top 10: broken object and function-level authorization, mass assignment, and over-permissive data exposure.

Mobile application testing

iOS and Android assessment covering API traffic, local data storage, and reverse engineering of the compiled app.

Source code review

Manual and automated review of your source to catch vulnerabilities, insecure patterns, and architectural issues before they ship.

Why SubRosa

Beyond the scanner, into the logic.

Business-logic focus

Automated tools miss logic abuse. We test the flows attackers exploit, account takeover, authorization bypass, and state manipulation, that no scanner can find.

Full-stack coverage

We test across UI, API, and backend layers, chaining conditions to show how a low-severity gap becomes a full compromise.

Developer-ready findings

Every finding comes with reproduction steps, affected code paths, and clear remediation guidance your engineers can act on immediately.

Every vulnerability, tracked to fixed.

From finding to fix.

Your application testing findings live in Sable, prioritized, assigned to owners, and tracked from open to retested, so remediation stays on the rails and nothing slips.

App findings in Sable
Application findingsWeb · API · Mobile
  • Critical
    Broken object-level auth (BOLA)
    API
    Open
  • High
    Account takeover via reset flow
    Web
    In progress
  • High
    Mass assignment on user object
    API
    Retested
  • Medium
    Secrets in local storage
    Mobile
    Open
OWASP Top 10 mappedReproduction + fix

Secure your apps before attackers test them.

Book a web application penetration test and find the business-logic and access-control flaws that scanners never will.