Testing

What we test

Pentu works the full OWASP surface across your real, authenticated app — and goes beyond the checklist into the business-logic and access-control flaws that only a tester who understands your product can find.

OWASP coverage

A01:2021 Broken Access Control
For every object ID and route it sees, it tries to reach it as a different account and anonymously. Cross-tenant IDOR, privilege escalation (member→admin, free→paid), forced browsing, mass-assignment of privileged fields (role, is_admin, plan, account_id).
A02:2021 Cryptographic Failures
Full TLS/cipher/certificate audit, HSTS, mixed content, and cookie flags (Secure / HttpOnly / SameSite).
A03:2021 Injection
SQL/NoSQL (time-based, non-destructive — never modifies data), reflected and stored XSS (confirmed by rendering the page in a real browser), template injection, command and path traversal — across query params, JSON/form bodies, and headers.
A04:2021 Business Logic
Quota / plan-tier bypass, negative or oversized values, replaying or skipping steps, coupon / trial abuse, race-prone create-delete flows.
A05:2021 Security Misconfiguration
Verbose errors and stack traces, debug endpoints, permissive CORS, missing authorization on data-fetch routes, unusual HTTP methods, and exposed files (.git, .env, backups, admin panels).
A06:2021 Vulnerable Components
Known-vulnerable front-end libraries, detected from the JavaScript your app actually loads.
A07:2021 Auth & Session Failures
Strong logout (does it invalidate server-side?), session fixation, token tampering, account enumeration, login rate-limiting, and full password-reset / email-change / magic-link flows — completed end to end via a controlled inbox.
A08:2021 Integrity Failures
State-changing requests without CSRF protection; whether one account can forge another's actions.
A10:2021 SSRF
"Connect a source / URL / webhook" features, probed with a phone-home collaborator that catches blind SSRF even when the response looks normal.

Signature capabilities

A few things Pentu does that go well past a typical scanner:

  • Strong logout, for real. It finds your logout endpoint by clicking the actual logout button in the DOM (SPAs hide it in JavaScript), captures a live session token, logs out, then replays the old token — a session that still works after logout is a real finding.
  • Cross-tenant IDOR. With two signed-up accounts, it replays account A's object IDs as account B and anonymously, and reports only when B actually receives A's data.
  • Stored XSS, confirmed. A JSON API echoing your payload isn't proof. Pentu plants the payload, then loads the page in a real browser to see whether it actually executes.
  • Password reset, end to end. It triggers the reset, reads the email, follows the tracking-redirect wrapper to the real link, and tests the token's entropy, one-time-use, and expiry.
  • Blind SSRF. It plants a unique callback URL in webhook and "import from URL" fields; if your backend fetches it, our collaborator logs the hit and confirms the SSRF.
  • Database authorization (RLS). For apps on Supabase and similar, it reads the data API directly as different accounts to catch row-level-security gaps the UI hides.
  • Secrets & dependencies. It scans the JavaScript your app ships for leaked keys and known-vulnerable libraries.

It shows what passed, too

A real pentest report isn't just problems. Pentu records every probe it ran — including the attacks your app correctly defeated — and marks the security controls it verified with no issue (dozens of them: headers, TLS, cookies, CORS, email auth, access control, injection, auth, CSRF, SSRF, and more). So you can see the full body of work, not just the red.

Always with proof

This is the rule that separates Pentu from a scanner: a finding is never "the field was accepted" or "we got a 200." It chains the exploit all the way to a demonstrated impact — escalate the account, then perform an admin-only action; leak another tenant's record and quote the field — and records the full chain so the finding can be replayed and confirmed.