Web Security Review

I perform a manual security review of your public-facing website or web application. The assessment focuses on identifying common web vulnerabilities that could lead to unauthorized access, data exposure, account compromise, or abuse of application functionality.

The assessment is limited to publicly accessible functionality and does not include source code review, infrastructure testing, denial-of-service testing, or social engineering.

Vulnerabilities I check for:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Broken Access Control (including IDOR vulnerabilities)
  • Authentication & Session Management Issues
  • Sensitive Information Disclosure
  • File Upload Vulnerabilities
  • Server-Side Vulnerabilities (e.g. SSRF)
  • Security Misconfigurations
  • Business Logic & Workflow Issues

What you receive

  • Manual assessment of provided scope
  • Security report (PDF format)
  • Risk rating of found vulnerabilities
  • Reproduction steps
  • Explicit steps to fix each vulnerability

Procedure and scope

1. Initial review

After you submit your website I will review the application and identify areas that are in scope for testing. This will be verified with you before I begin.

Estimated time to completion: 24h

2. Manual Security Testing

I will begin testing the application for common web vulnerabilities and security weaknesses. Automated tools may be used to assist with the process but all findings will be manually verified.

Estimated time to completion: depends entirely on the size of your application and scope. Anywhere from 1-2 weeks.

3. Report preparation and delivery

At the end of the engagement you will receive a clear report summarizing the assesment and any identified vulnerabilites

Estimated time to completion: ~24-48h, depending on amount of vulnerabilities found

4. Follow up questions and assistance

I will remain available to answer any questions about the findings and recommendations to fix the vulnerabilities.

Out of scope

To avoid misunderstandings, the following are not included in the engagement:

  • Source code review
  • Infrastrcuture or network penetration testing
  • Social engineering or phishing assessments
  • Denial-of-service testing
  • Physical security testing

Important disclaimer:

This is a pilot offering. The assessment is provided free of charge while I continue building experience and collecting feedback. In return, I may ask for a testimonial if you find the report valuable.

Like any security assessment, this review does not guarantee that all vulnerabilities will be identified. The goal is to identify security issues that can be reasonably discovered within the scope and time available.

Request a Free Security Review

Submit your website and I'll get back to you by email once this service becomes available. (Coming soon...)

FAQ

What expertise do you have? +

I have 2 years of web development experience, and am a self-taught JWPT (junior web penetration tester). You can visit my blog where I go through existing vulnerabilities that I have found and written either a walk-through or report for.

What exactly do I receive? +

You receive a clear security report with any findings, severity ratings, reproduction steps, potential impact, and suggested fixes.

Is this a full penetration test? +

No. This is a focused manual web security review. It is not a full enterprise penetration test, compliance audit, or source code review.

Why is the review free? +

This is a limited pilot offer while I refine my process, build experience, and collect feedback. In return, I may ask for a testimonial if the report is useful to you.

Can you guarantee that every vulnerability will be found? +

No security assessment can guarantee that every issue will be discovered. The goal is to identify vulnerabilities that can reasonably be found within the agreed scope.

Do I need to give you login access? +

Not always. Depending on your application I will usually make a test account. However if you have functionality behind a paywall or different user role, and would like me to include it in the review, I will request you provide me with sufficient permissions.

Do you fix the vulnerabilities too? +

The review focuses on finding and explaining issues. Fixes are not included by default, but I can usually give practical remediation guidance.

How do I contact you for additional questions? +

Enter your details in the form above and fill out the questions form. If you don't have a website or don't wish to submit it yet, enter "https://example.com" or the like. I will contact you via email.