Case Studies

Real Vulnerabilities. Real Impact.

Anonymised findings from real engagements — illustrating the types of critical vulnerabilities we surface and the concrete steps taken to remediate them.

Critical Severity Broken Access Control OWASP A01:2021

IDOR in E-Commerce Order Management

E-Commerce Platform — 50,000+ users

Overview

During a black-box web application assessment, our team identified a systematic Insecure Direct Object Reference (IDOR) vulnerability in the order management API. All authenticated users could access, modify, or cancel any order by incrementing a sequential integer ID in the API path — with zero server-side authorisation checks.

Technical Findings

  • GET /api/v1/orders/{id} returned full order data including email, addresses, and partial card numbers for any user
  • PUT /api/v1/orders/{id}/cancel allowed cancellation of arbitrary orders without ownership validation
  • Order IDs were sequential integers starting from 1, enabling trivial enumeration of the entire order history
  • No rate limiting or anomaly detection was in place to flag bulk ID enumeration

Business Impact

An attacker could silently exfiltrate the PII (name, email, shipping address, partial payment data) for every customer in the database. Mass order cancellation would directly impact revenue and customer trust. GDPR and PCI-DSS breach notification obligations would be triggered.

Remediation Steps

  1. 1 Implement server-side ownership checks: verify req.user.id === order.userId before returning or mutating any record
  2. 2 Replace sequential integer IDs with UUIDs to eliminate trivial enumeration
  3. 3 Add rate limiting and alerting for abnormal patterns on resource-heavy endpoints
  4. 4 Write automated integration tests that assert a user in session A cannot access resources owned by session B
Critical Severity Injection OWASP A03:2021

SQL Injection Bypass in Authentication Flow

SaaS HR Platform — 12,000+ enterprise users

Overview

A targeted review of the login endpoint revealed that user-supplied input was concatenated directly into raw SQL queries without sanitisation. Using a classic single-quote payload, our team fully bypassed authentication and gained admin-level access to the application without knowing any valid credentials.

Technical Findings

  • Login payload admin' OR '1'='1'-- returned a valid session token for the first account in the users table
  • The admin account had access to all tenant data, configuration, and employee PII across every organisation
  • Error messages disclosed full SQL query structure and database column names, accelerating exploitation
  • No WAF or query anomaly detection was deployed

Business Impact

Complete authentication bypass, enabling unauthenticated access to payroll data, personal employee records, and tax information for every organisation on the platform. Constitutes a critical GDPR violation with mandatory data breach notification.

Remediation Steps

  1. 1 Replace all raw SQL concatenation with parameterised queries or a trusted ORM
  2. 2 Sanitise and validate all user-supplied input at the application boundary
  3. 3 Suppress verbose error messages in production; log them server-side only
  4. 4 Deploy a WAF with SQL injection rules as an additional defence layer
  5. 5 Conduct a full audit of every database-touching code path for similar patterns
High Severity Security Misconfiguration OWASP A05:2021

Exposed Admin Panel & Default Credentials

FinTech Startup — Pre-launch audit

Overview

During a pre-launch black-box assessment, our team discovered an unauthenticated admin panel exposed on a non-standard port. The panel was protected only by default vendor credentials that had never been rotated, granting full control over the application database and user management.

Technical Findings

  • Admin panel accessible at :8080/admin with no IP allowlist or VPN requirement
  • Default credentials admin:admin granted immediate access
  • Panel exposed direct SQL query execution, user impersonation, and raw file system browsing
  • The port was indexed by Shodan and Censys, making it publicly discoverable

Business Impact

Any threat actor with basic OSINT capability could discover and exploit this within minutes. Full compromise of the production database before launch would be catastrophic for a regulated FinTech entity.

Remediation Steps

  1. 1 Immediately rotate all default credentials and enforce strong password policies
  2. 2 Restrict admin panel access to VPN or specific IP ranges using firewall rules
  3. 3 Remove public exposure of admin and management ports from the attack surface
  4. 4 Implement a pre-launch security checklist covering default credentials and exposed services

Could these vulnerabilities exist in your systems?

The only way to know for certain is a professional security assessment. Let's find out together.