What we test
Pentu works the full OWASP surface across your real, authenticated app — and goes beyond the checklist into the business-logic and access-control flaws that only a tester who understands your product can find.
OWASP coverage
Signature capabilities
A few things Pentu does that go well past a typical scanner:
- Strong logout, for real. It finds your logout endpoint by clicking the actual logout button in the DOM (SPAs hide it in JavaScript), captures a live session token, logs out, then replays the old token — a session that still works after logout is a real finding.
- Cross-tenant IDOR. With two signed-up accounts, it replays account A's object IDs as account B and anonymously, and reports only when B actually receives A's data.
- Stored XSS, confirmed. A JSON API echoing your payload isn't proof. Pentu plants the payload, then loads the page in a real browser to see whether it actually executes.
- Password reset, end to end. It triggers the reset, reads the email, follows the tracking-redirect wrapper to the real link, and tests the token's entropy, one-time-use, and expiry.
- Blind SSRF. It plants a unique callback URL in webhook and "import from URL" fields; if your backend fetches it, our collaborator logs the hit and confirms the SSRF.
- Database authorization (RLS). For apps on Supabase and similar, it reads the data API directly as different accounts to catch row-level-security gaps the UI hides.
- Secrets & dependencies. It scans the JavaScript your app ships for leaked keys and known-vulnerable libraries.
It shows what passed, too
A real pentest report isn't just problems. Pentu records every probe it ran — including the attacks your app correctly defeated — and marks the security controls it verified with no issue (dozens of them: headers, TLS, cookies, CORS, email auth, access control, injection, auth, CSRF, SSRF, and more). So you can see the full body of work, not just the red.
Always with proof
This is the rule that separates Pentu from a scanner: a finding is never "the field was accepted" or "we got a 200." It chains the exploit all the way to a demonstrated impact — escalate the account, then perform an admin-only action; leak another tenant's record and quote the field — and records the full chain so the finding can be replayed and confirmed.