01 / Web Application + API
Web Application
+ API Testing
What appears secure rarely is. We test both sides of that assumption.
Most application testing stops at the visible surface. DALI X goes further — into the logic, the trust boundaries, the API endpoints that were never meant to be found. Manual, adversary-perspective testing of your entire application layer, authenticated and unauthenticated.
Methodology
How we test.
Reconnaissance
- Subdomain enumeration
- JS file analysis and secret hunting
- API schema discovery (OpenAPI, GraphQL)
- Third-party integration mapping
Authentication & Session
- Login brute-force and lockout logic
- JWT/OAuth2/SAML token analysis
- Session fixation and cookie attributes
- MFA bypass enumeration
Authorization
- IDOR across all resource types
- Horizontal and vertical privilege escalation
- Mass assignment vulnerabilities
- GraphQL field-level authorization
Injection & Logic
- SQLi, NoSQLi, command injection
- SSRF and XXE
- Business logic abuse
- Race conditions and TOCTOU
Output & Configuration
- Stored/reflected/DOM XSS
- CORS misconfiguration
- CSP bypass analysis
- Sensitive data in responses
API-Specific
- REST: HTTP verb tampering
- GraphQL: batching abuse, introspection
- gRPC: metadata injection
- Webhook security
Tooling
What we use.
Burp Suite Professional
Primary testing platform — proxy, scanner, intruder, repeater.
Nuclei + ProjectDiscovery
Template-based scanning for recon and known vulnerability patterns.
PentestGPT
AI-assisted recon, exploit ideation, and finding documentation.
XBOW
Autonomous offensive platform for continuous and complex engagements.
Katana + httpx
Fast web crawler and HTTP toolkit for surface discovery.
Custom tooling
Engagement-specific scripts for logic testing and automation.
Sample findings
What we find.
Representative findings from past engagements. Client details redacted.
CRITICAL
Authentication Bypass via JWT Algorithm Confusion
RS256 to HS256 downgrade allowing token forgery and full account takeover across all tenants.
HIGH
GraphQL Introspection Exposing Internal Mutations
Production introspection enabled, revealing admin-only endpoints not visible in the UI.
HIGH
IDOR in REST API — Cross-Tenant Data Access
Sequential integer IDs without authorization checks enabling cross-account data read.
MEDIUM
Stored XSS in User-Supplied Markdown Fields
Unsanitized markdown rendered as HTML in admin dashboard context.
Pricing
Engagement tiers.
Essentials
$5,000 – $10,000
SMB / startup / pre-compliance
- Unauthenticated surface scan
- OWASP Top 10 coverage
- AI-augmented + human reviewed
- Executive summary + findings
- 30-day retest on Critical/High
Faster turnaround.
Get a QuoteMost common
Standard
$12,000 – $25,000
Mid-market / SOC 2 / PCI / HIPAA
- Full authenticated + unauth testing
- API layer (REST, GraphQL, gRPC)
- Business logic testing
- OWASP WSTG full methodology
- Compliance-ready report
Most common engagement tier.
Get a QuoteContinuous
Custom
Enterprise / ongoing coverage
- Quarterly manual validation
- XBOW autonomous between cycles
- Remediation verification
- Dedicated point of contact
- Annual compliance package
Best for teams shipping frequently.
Get a QuoteFAQ
Common questions.
Do you test production environments?
Yes, with explicit authorization. We work with your team to define safe testing windows and escalation contacts. We never test without a signed authorization letter.
How long does an engagement take?
Essentials: 3–5 days. Standard: 5–10 days of active testing. Scoped precisely on your scoping call.
What do we receive at the end?
Executive summary, methodology, finding writeups with severity, evidence, exploit chain, business impact, and remediation guidance. Delivered via client portal.
Do you retest after we remediate?
30-day free retest on Critical and High findings is included in every engagement. We verify the fix actually works, not just that the code changed.