Website Penetration Testing in Singapore

What is Web Application Penetration Testing?

Website Application Penetration Testing (a.k.a. Application Pentest, Application VAPT, Application Pen Testing) is a simulated cyber-attack against a web application to check for exploitable vulnerabilities. Web applications are the most fragile entry points into an organisation’s network infrastructure as they offers public access. Public-facing applications face the highest risks of being breached and leading to malicious attackers entering the system. At softScheck Singapore, we identify and evaluate all the potential vulnerabilities in your web application to help your business mitigate cyber risks.


softScheck is a CREST accredited Penetration Testing provider in Singapore.

It is also important to note that automated testing is complemented by manual testing to achieve compliance and full coverage.


Objective of the website penetration testing assessment

Reveal real-world opportunities targeted by hackers in Singapore and beyond

Identify application security flaws present in the environment

Understand the level of risk for your organisation

Our Website Penetration Testing Approach & Methodology


Information Gathering


Vulnerability Analysis







softScheck Singapore’s application penetration testing methodology is based upon industry standards such as Open Web Application Security Project (OWASP), CWE, SANS, NIST, PTES and OSSTMM. It covers the classes of vulnerabilities, including, but not limited to:

Buffer overflow
Insecure access control mechanism (e.g. account privilege escalation, failure to restrict URL access, input validation etc.)
Malicious code injection (e.g. SQL injection, Cross-Site Scripting and etc.)
Cross-Site Request Forgery (CSRF)
Cross-Frame Scripting (CFS)
Insecure authentication and session management
Insecure direct object references
Insecure cryptographic storage
Insufficient transport layer protection (e.g. enabling of weak cipher suite in the SSL protocol)
Insufficient transport layer protection (e.g. enabling of weak cipher suite in the SSL protocol)
Invalidated redirects and forwards
Improper error and exception handling
Security misconfigurations
Application logic flaws
Application logic flaws
Transaction testing to ensure desired application performance run with no ability to be abused by users; and
Sensitive data exposure

The vulnerabilities are evaluated using the Common Vulnerability Scoring System) (CVSS) method to assess and evaluate the risk.

softScheck Singapore approach Web Application Penetration Testing with a rigorous manual testing technique:

Phase 1

Review the scan results (analyse the findings and remove any false-positive)

Phase 2

Further exploit the system to discover any new vulnerabilities that are not discovered in Phase 1. And this takes 80% of the overall entire assessment.