Home / Use Cases / Web App Pen Test Banking

Web Application Penetration Test – Online Banking

Web App Penetration Testing | Financial Services | June 2025 | 3 Weeks

19 findings 100% critical remediated 3 weeks remediation

Client Overview

An online banking platform required a manual penetration test of their customer-facing web application and APIs to satisfy regulatory expectations and internal risk management. They needed OWASP Top 10 coverage plus business-logic and authentication/session testing.

  • Industry: Financial Services
  • Challenge: Validate security of login, transactions, and account access; identify logic flaws automated tools miss
  • Engagement: 3 weeks (scoping, testing, report, remediation support, retest)

Scoping & Requirements

Scope: Online banking web app (login, dashboard, transfers, statements, profile); REST APIs for mobile and web. Out of scope: core banking backend, third-party payment gateways (black-box only). Success criteria: OWASP Top 10 and business logic tested; critical/high findings remediated with retest. Rules of engagement: testing from approved IPs; no DoS; credentials provided for authenticated testing.

Methodology & Test Cases

Manual testing following OWASP Testing Guide and PTES. Test cases included:

CategoryTest Cases Performed
AuthenticationBrute force, lockout, password policy, MFA bypass, session fixation, logout
AuthorizationIDOR (accounts, transactions), privilege escalation, path traversal
InjectionSQL, XSS (reflected/stored), command injection in search/admin
Business logicTransfer limits, negative amounts, concurrent transactions, replay
SessionToken strength, timeout, concurrent sessions, cookie flags

Tools: Burp Suite Pro, custom scripts. Standards: OWASP Top 10, PTES, NIST.

Findings & Vulnerabilities

19 findings (3 critical, 6 high, 7 medium, 3 low). Critical included:

Critical: Business logic flaw allowing transfer amount manipulation (parameter tampering) leading to overdraft bypass. Affected: transfer API.
High: IDOR on statement export – user could request another user's PDF by changing ID. Affected: /api/statements/export.

Remediation support included exact fix recommendations and retest; all critical and high were fixed within 3 weeks.

Remediation Support & Results

We provided step-by-step remediation guidance and performed a full retest after fixes. Results: 100% of critical and high findings remediated; residual medium/low tracked in client's backlog. Client satisfied with clarity of findings and actionable recommendations.

  • Critical: 3 → 0; High: 6 → 0 after remediation and retest.
  • Regulatory and internal risk requirements met.
  • Mean time to remediate critical: 7 days.
"The most thorough pen test we have had. Findings were clearly documented and fixable."
— Security Lead, Online Banking

Key Takeaways

Business logic testing required manual exploration and abuse-case design. For similar organizations: include APIs and mobile-backend in scope; plan for at least one retest; align success criteria with regulators early.

Ready for Your Success Story?

Get a free security assessment and see how we can bring your security posture to manageable levels.

Get Free Assessment Contact Us