Assessments of web applications are usually performed from the perspective of unauthorized and authorized users, with the first goal of ensuring known vulnerabilities in the web servers, application servers, and databases are not present. Immunity then checks the application for standard problems similar to those described in the OWASP testing guidelines.
Immunity always includes extensive testing for the presence of SQL or command injection vulnerabilities that allow unauthorized access to database systems. Web applications are also analyzed for other vulnerabilities that could cause information leakage, unauthorized access, or privilege escalation.