Testing Methodology
How Katana AUTO tests your web applications
Overview
Katana AUTO combines AI-powered automated testing with human verification by CREST-registered penetration testers. Our methodology is aligned with the OWASP Testing Guide v4 and covers the OWASP Top 10 vulnerability categories, ensuring comprehensive coverage of the most critical web application security risks.
How It Works
Discovery & Crawl
Our AI engine crawls your application to map all accessible endpoints, forms, parameters, and functionality. This typically takes 2–5 minutes and determines the scope and pricing of your test.
Automated Testing
The AI engine performs targeted security tests against each discovered endpoint, testing for the vulnerability categories listed below. Testing typically takes 30–60 minutes depending on application complexity.
Human Verification
All findings are reviewed and verified by our team of CREST-registered penetration testers. False positives are removed, severity ratings are validated, and context-specific recommendations are added. This process takes up to 2 working days.
Report Delivery
Your verified report is made available in the portal and emailed to your designated report email address. The report includes an executive summary, detailed findings with evidence, and remediation recommendations.
Test Modes
Standard
Read-focused testing with minimal impact to the target application. The AI engine avoids actions that could modify data or create records. Recommended for live and production environments.
Aggressive
Comprehensive testing that may create test accounts, submit forms, and write database entries. Provides deeper coverage but should only be used on development or staging environments.
Vulnerability Categories
Our testing covers the following categories, aligned with the OWASP Top 10 and OWASP Testing Guide v4:
Broken Access Control
Testing for privilege escalation, insecure direct object references (IDOR), missing function-level access controls, and path traversal vulnerabilities.
Cryptographic Failures
Identifying weak or missing encryption, insecure transport layer security (TLS/SSL), exposed sensitive data, and weak cryptographic algorithms.
Injection
Testing for SQL injection, NoSQL injection, command injection, LDAP injection, and other injection flaws across all input vectors.
Insecure Design
Identifying design-level security flaws such as missing rate limiting, insufficient anti-automation controls, and business logic vulnerabilities.
Security Misconfiguration
Checking for default configurations, unnecessary features enabled, missing security headers, verbose error messages, and directory listings.
Vulnerable & Outdated Components
Identifying known vulnerabilities in third-party libraries, frameworks, and server software through version detection and CVE matching.
Identification & Authentication Failures
Testing for weak passwords, credential stuffing, session management flaws, missing multi-factor authentication, and insecure password recovery.
Software & Data Integrity Failures
Checking for insecure deserialisation, missing integrity checks on updates and data, and CI/CD pipeline security issues.
Security Logging & Monitoring Failures
Assessing whether the application has adequate logging, monitoring, and alerting for security-relevant events.
Server-Side Request Forgery (SSRF)
Testing for SSRF vulnerabilities that could allow attackers to make requests from the server to internal or external resources.
Additional Testing
Beyond the OWASP Top 10, our testing also covers:
• Cross-Site Scripting (XSS) — Reflected, stored, and DOM-based XSS across all input vectors
• Cross-Site Request Forgery (CSRF) — Missing or weak anti-CSRF protections on state-changing operations
• Security Headers — Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options, and more
• Cookie Security — Missing Secure, HttpOnly, and SameSite flags
• Information Disclosure — Server version headers, debug endpoints, stack traces, and source code exposure
• File Upload Vulnerabilities — Unrestricted file types, path traversal, and remote code execution via uploads
• API Security — Authentication, authorisation, rate limiting, and input validation on API endpoints
Authenticated Testing
When authenticated testing is enabled, the AI engine logs in using the provided credentials and tests functionality that requires authentication. You can provide up to 5 credential sets with different privilege levels (e.g. Standard User, Admin) to enable comprehensive access control and privilege escalation testing. Credentials are transmitted securely and deleted after the testing phase completes.
Severity Ratings
Findings are classified using the following severity scale:
Accreditations
Samurai Digital Security is a CREST-accredited penetration testing provider and is NCSC certified. All human verification is performed by CREST-registered testers (CRT/CCT qualified).