Home/Services/Web Application Penetration Testing
SERVICE · KIGALI, RWANDA

Web application penetration testing in Rwanda

We test web applications by hand against the OWASP Top 10 and the OWASP Web Security Testing Guide: authentication, access control, session management, injection, and the business-logic flaws scanners never reach. Built for banks, fintech, government, and regulated organisations across Rwanda, East Africa, and the wider African market, with an evidence-led report and a free retest after you fix the findings.

Methodology: OWASP WSTG + OWASP Top 10 | OSCP-credentialled practitioner | Manual, multi-role testing | Evidence-led reporting + free retest
Book a Free Call

What we test

01

Authentication & sessions

Login, password reset, and MFA flows, credential handling, session and token lifecycle, and the fixation and replay weaknesses that lead to account takeover.

02

Access control

Every function crossed with every role. Can a customer reach another customer's records, or an admin function the interface never shows?

03

Injection & input handling

SQL injection, cross-site scripting, server-side request forgery, file upload abuse, and template injection, each validated with a working proof of concept.

04

Business logic

Workflow bypasses, race conditions on balance-changing operations, negative and boundary amounts, and approval steps that can be skipped.

What this is

A manual penetration test of your web application: internet-banking portals, customer onboarding flows, admin consoles, e-government services, and the browser-facing side of any platform that handles money or personal data. We map every role and function, then work through authentication, access control, session handling, input validation, and the business logic that connects them, the way an attacker would. Web testing is also available as one track inside a wider engagement: see our penetration testing service for the full web, network, mobile, API, and cloud scope.

Methodology

Testing follows the OWASP Web Security Testing Guide (WSTG), with findings mapped to the OWASP Top 10 and the engagement run along PTES phases from pre-engagement scoping through exploitation to reporting. Every test is executed by hand:

A scanner finds missing patches; it does not find a transfer flow that skips its approval step. Every finding is demonstrated with reproducible proof-of-concept evidence, not flagged from a scanner signature.

Who this is for

For institutions supervised by the National Bank of Rwanda, the engagement supplies the technical evidence the annual testing requirement in BNR Regulation N°50/2022 expects: see our BNR-compliant penetration testing service. Testing is led by an OSCP-credentialled practitioner whose engagement history spans a Tier-1 Nordic bank red team, a pan-African banking group, and a top-5 South African bank.

Deliverables

Frequently asked questions

What does a web application penetration test cover?
Manual testing of your web application against the OWASP Top 10 and the OWASP Web Security Testing Guide: authentication and session management, access control across every role, injection and input handling, file upload and server-side request forgery, and the business-logic flaws specific to how your application moves money or data. Every finding is reproduced with proof-of-concept evidence.
How is manual testing different from a vulnerability scan?
A scanner matches signatures; it cannot log in as two different users and prove one can read the other's data, chain a low-severity flaw into account takeover, or notice that a transfer flow skips its approval step. We run the application by hand with multiple roles, which is where the findings that matter to a bank or a regulator live.
What access do you need to test our web application?
Test accounts for at least two roles, a walkthrough of the main workflows, and a contact on your team for escalations. We can test black-box from the login page alone, but gray-box access produces deeper authorization and business-logic coverage in the same testing window.
Do you test applications in production?
We prefer a staging environment that mirrors production. Where production is the only option, we use non-destructive techniques, agree test windows for anything intrusive in advance, and escalate anything critical immediately.
Does this satisfy regulatory testing requirements in Rwanda?
It supplies the technical evidence those requirements call for. BNR Regulation N°50/2022 requires institutions supervised by the National Bank of Rwanda to run a penetration test at least once a year, and our report is structured to file with the regulator and to hand to your auditor. Confirm the exact obligation that applies to you with your supervisor; we scope the test to match it.
How much does a web application penetration test cost in Rwanda?
Every engagement is scoped individually based on the application's size, the number of roles and workflows, and the depth of business-logic testing required. Tell us about the application; we reply within 24 hours, and a scoped proposal follows within 48 hours of the scoping call. For the factors that drive pricing, see our guide to penetration testing cost in Rwanda.

For the full scope of our manual testing across web, network, mobile, API, and cloud, see our penetration testing service, or read the cornerstone guide to penetration testing in Rwanda.

Shipping a web application that handles money or personal data?

Tell us the application, roles, and timeline. We reply within 24 hours, and a scoped proposal follows within 48 hours of the scoping call.

Book a Free Call WhatsApp us
Chat on WhatsApp Chat with us