Testing Methodology

How Katana AUTO tests your web applications

Overview

Katana AUTO combines AI-powered automated testing with human verification by CREST-registered penetration testers. Our methodology is aligned with the OWASP Testing Guide v4 and covers the OWASP Top 10 vulnerability categories, ensuring comprehensive coverage of the most critical web application security risks.

How It Works

1

Discovery & Crawl

Our AI engine crawls your application to map all accessible endpoints, forms, parameters, and functionality. This typically takes 2–5 minutes and determines the scope and pricing of your test.

2

Automated Testing

The AI engine performs targeted security tests against each discovered endpoint, testing for the vulnerability categories listed below. Testing typically takes 30–60 minutes depending on application complexity.

3

Human Verification

All findings are reviewed and verified by our team of CREST-registered penetration testers. False positives are removed, severity ratings are validated, and context-specific recommendations are added. This process takes up to 2 working days.

4

Report Delivery

Your verified report is made available in the portal and emailed to your designated report email address. The report includes an executive summary, detailed findings with evidence, and remediation recommendations.

Test Modes

Standard

Read-focused testing with minimal impact to the target application. The AI engine avoids actions that could modify data or create records. Recommended for live and production environments.

Aggressive

Comprehensive testing that may create test accounts, submit forms, and write database entries. Provides deeper coverage but should only be used on development or staging environments.

Vulnerability Categories

Our testing covers the following categories, aligned with the OWASP Top 10 and OWASP Testing Guide v4:

A01

Broken Access Control

Testing for privilege escalation, insecure direct object references (IDOR), missing function-level access controls, and path traversal vulnerabilities.

A02

Cryptographic Failures

Identifying weak or missing encryption, insecure transport layer security (TLS/SSL), exposed sensitive data, and weak cryptographic algorithms.

A03

Injection

Testing for SQL injection, NoSQL injection, command injection, LDAP injection, and other injection flaws across all input vectors.

A04

Insecure Design

Identifying design-level security flaws such as missing rate limiting, insufficient anti-automation controls, and business logic vulnerabilities.

A05

Security Misconfiguration

Checking for default configurations, unnecessary features enabled, missing security headers, verbose error messages, and directory listings.

A06

Vulnerable & Outdated Components

Identifying known vulnerabilities in third-party libraries, frameworks, and server software through version detection and CVE matching.

A07

Identification & Authentication Failures

Testing for weak passwords, credential stuffing, session management flaws, missing multi-factor authentication, and insecure password recovery.

A08

Software & Data Integrity Failures

Checking for insecure deserialisation, missing integrity checks on updates and data, and CI/CD pipeline security issues.

A09

Security Logging & Monitoring Failures

Assessing whether the application has adequate logging, monitoring, and alerting for security-relevant events.

A10

Server-Side Request Forgery (SSRF)

Testing for SSRF vulnerabilities that could allow attackers to make requests from the server to internal or external resources.

Additional Testing

Beyond the OWASP Top 10, our testing also covers:

Cross-Site Scripting (XSS) — Reflected, stored, and DOM-based XSS across all input vectors

Cross-Site Request Forgery (CSRF) — Missing or weak anti-CSRF protections on state-changing operations

Security Headers — Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options, and more

Cookie Security — Missing Secure, HttpOnly, and SameSite flags

Information Disclosure — Server version headers, debug endpoints, stack traces, and source code exposure

File Upload Vulnerabilities — Unrestricted file types, path traversal, and remote code execution via uploads

API Security — Authentication, authorisation, rate limiting, and input validation on API endpoints

Authenticated Testing

When authenticated testing is enabled, the AI engine logs in using the provided credentials and tests functionality that requires authentication. You can provide up to 5 credential sets with different privilege levels (e.g. Standard User, Admin) to enable comprehensive access control and privilege escalation testing. Credentials are transmitted securely and deleted after the testing phase completes.

Severity Ratings

Findings are classified using the following severity scale:

CriticalImmediate risk of exploitation with severe business impact. Requires urgent remediation.
HighSignificant risk that could lead to data breach or system compromise. Should be addressed promptly.
MediumModerate risk that could contribute to a broader attack. Should be addressed in the near term.
LowMinor risk with limited direct impact. Should be addressed as part of ongoing security improvements.
InfoInformational finding that may indicate an area for improvement but poses no direct security risk.

Accreditations

Samurai Digital Security is a CREST-accredited penetration testing provider and is NCSC certified. All human verification is performed by CREST-registered testers (CRT/CCT qualified).