Penetration Test

7 vulnerabilities found before they became a problem

Penetration Test

Client

Confidential client

Type

External penetration test

Year

2025

Duration

1 week

The Challenge

The client had built a mobile app with a REST API backend and needed an independent security assessment before launch. The test was performed as a black-box assessment without access to source code, exactly as a real attacker would operate.

Methodology followed OWASP API Security Top 10, OWASP Web Security Testing Guide, and PTES. Testing covered authentication, authorization, input validation, business logic, and configuration.

The Solution

7 vulnerabilities were identified: 1 critical, 2 high, and 4 medium. Each finding includes CVSS score and remediation suggestions.

Critical finding: The authentication endpoint allows unlimited login attempts without rate limiting, account lockout, or CAPTCHA (CVSS 9.1). High findings: Stored XSS in username (CVSS 8.1) and missing email verification (CVSS 7.2). Medium findings: account enumeration via registration, exposed API documentation, active debug endpoints, and unauthenticated access to user data.

Approved controls: HTTPS with TLS 1.3, password policy, admin privilege escalation blocked, SQL Injection and Path Traversal not vulnerable, JWT tokens correctly signed.

Process & Delivery

Delivered in 1 week. Traditional agencies deliver similar projects in 8-12 weeks.

5/10

Security score

7

Vulnerabilities

6

Approved controls

1

Critical vuln

Want similar results?

Book a call
WhatsApp