Penetration Test

The client had built a mobile app with a REST API backend and needed an independent security assessment before launch. The test was performed as a black-box assessment without access to source code, exactly as a real attacker would operate.

Methodology followed OWASP API Security Top 10, OWASP Web Security Testing Guide, and PTES. Testing covered authentication, authorization, input validation, business logic, and configuration.

7 vulnerabilities were identified: 1 critical, 2 high, and 4 medium. Each finding includes CVSS score and remediation suggestions.

Critical finding: The authentication endpoint allows unlimited login attempts without rate limiting, account lockout, or CAPTCHA (CVSS 9.1). High findings: Stored XSS in username (CVSS 8.1) and missing email verification (CVSS 7.2). Medium findings: account enumeration via registration, exposed API documentation, active debug endpoints, and unauthenticated access to user data.

Approved controls: HTTPS with TLS 1.3, password policy, admin privilege escalation blocked, SQL Injection and Path Traversal not vulnerable, JWT tokens correctly signed.