Web Application Penetration Test Report

Report ID: BRX-WAPT-2025-1225 Dec 25, 2025 Confidential
Engagement Summary • OWASP-aligned • Production-grade

Web Application Penetration Test — Executive Report

This report documents a full web application penetration test performed by Brivox. It includes validated findings, proof-of-concept (PoC) evidence, risk analysis, and remediation guidance. A post-fix retest summary is included to show what we hardened and how risk was reduced.

Riskcritical
1
High-impact path to unauthorized data access.
Exposurehigh
2
Auth/session weaknesses that amplify other issues.
Controlmedium
2
Security control gaps with measurable impact.
Signalslow
3
Hardening opportunities (headers, rate limits, hygiene).

Scope

The assessment targeted the web application surfaces exposed to end-users and administrators. Testing focused on authentication, access control, session management, business logic, and data handling.

  • In-scope: Web UI, API endpoints, auth flows, role paths, checkout/business workflows, file uploads, admin functionality.
  • Out-of-scope: Physical security, social engineering, DDoS/load testing, source code review (unless explicitly provided).
  • Testing window: Dec 20–25, 2025

Methodology

Brivox followed an OWASP-aligned methodology: reconnaissance, mapping, threat modeling, manual exploitation, and validation with least-impact PoCs. Findings were rated by likelihood × impact and mapped to practical fixes.

PhaseWhat we didOutputs
Discovery Endpoint mapping, auth boundary checks, role paths, input vectors Attack surface map, risk hypotheses
Exploit Manual exploitation: access control, sessions, IDOR, CSRF, injection chains Validated PoCs, evidence captures
Harden Fix guidance + implementation (secure patterns + defense-in-depth) Patch plan, code/config changes
Retest Revalidation and regression on fixed areas Risk reduction proof, retest notes

Findings Summary

A compact view of validated issues. Full PoCs and remediation steps are provided below.

IDSeverityTitleArea
WAPT-01 Critical Broken Access Control (IDOR) via predictable resource identifiers API /orders/*
WAPT-02 High Session weakness: long-lived tokens + missing rotation on privilege change Auth /sessions
WAPT-03 High Missing rate limits on auth endpoints (credential stuffing risk) /login /otp
WAPT-04 Medium CSRF gap on state-changing endpoint (insufficient origin validation) /profile/update
WAPT-05 Medium File upload hardening gaps (content-type trust + storage permissions) /uploads
WAPT-06 Low Security headers baseline incomplete Global
WAPT-07 Low Verbose error responses reveal internal implementation details API errors
WAPT-08 Low Password policy allows weak entropy in edge cases Auth policy

Detailed Findings (PoC + Remediation)

Each finding includes: description, impact, evidence/PoC, and a practical remediation plan. All examples are redacted for safety; replace placeholders with your real endpoints/IDs.

WAPT-01 — Broken Access Control (IDOR) via predictable identifiers

Critical A01:2021 API /orders/{id}
Description
The API authorized access based on a user session, but did not enforce ownership checks on the target resource. By iterating IDs, a standard user could access other users’ order objects.
Impact
Unauthorized access to personal and order data (PII), potential refund/fulfillment manipulation, and full breach escalation if combined with session weakness.
Proof / PoC
Authenticated as User A, request Order #10421 (belongs to User B) successfully returns data.
GET /api/orders/10421 HTTP/1.1 Host: app.example.com Authorization: Bearer eyJ...REDACTED Accept: application/json HTTP/1.1 200 OK Content-Type: application/json { "orderId": 10421, "userId": 8821, "email": "REDACTED@example.com", "items": [{"sku":"TSHIRT-01","qty":1}], "address": "REDACTED", "status": "paid" }
Recommendation
Enforce object-level authorization on every resource access: verify the requested resource is owned by the requesting principal (or allowed by role). Use server-side checks only (do not trust client-provided identifiers).
What Brivox did
Implemented centralized authorization middleware: OrderPolicy.canRead(user, order) + canMutate. Replaced direct ID lookups with scoped queries (e.g., WHERE order.user_id = session.user_id). Added audit logging for denied access attempts.
Retest outcome: After fix, cross-user order access returns 403 Forbidden. No regressions detected on legitimate owner access.

WAPT-02 — Session token lifecycle weakness (rotation + TTL)

High A07:2021 Long-lived sessions
Description
Sessions remained valid for extended periods without rotation on privilege changes, increasing replay risk if tokens are leaked.
Recommendation
Rotate tokens on login and privilege events; enforce short access-token TTL and refresh-token rotation; revoke refresh tokens on logout.
What Brivox did
Added rotating refresh tokens, shortened access TTL, enforced rotation on password change / role updates, and added revocation strategy.

WAPT-03 — Missing rate limits on authentication endpoints

High Credential stuffing /login, /otp
Description
Login and OTP endpoints accepted high request volume without backoff, allowing automated guessing attempts.
Recommendation
Implement IP + account-based throttling, exponential backoff, and suspicious pattern detection; keep error messages uniform.
What Brivox did
Added edge + app rate limiting (sliding window), OTP attempt caps, and safe auth error messaging.

WAPT-04 — CSRF gap on state-changing endpoint

Medium Origin/Referer
Recommendation
Use CSRF tokens, enforce SameSite cookies, and validate origin on sensitive write routes.
What Brivox did
Added CSRF tokens, enabled SameSite, and enforced origin validation for write actions.

WAPT-06 — Security headers baseline incomplete

Low Baseline hardening
Recommendation
Add CSP (report-only → enforce), HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and strict cookie flags.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=(), camera=() Content-Security-Policy: default-src 'self'; img-src 'self' https: data:; ...

Retest Summary

Brivox revalidated remediations and ran regression checks on adjacent areas to ensure fixes didn’t introduce new issues.

FindingStatusNotes
WAPT-01 Fixed 403 on cross-user access, scoped queries validated.
WAPT-02 Fixed Token rotation enforced; old refresh tokens rejected.
WAPT-03 Fixed Rate limit thresholds confirmed; safe error messaging.
Tip: Replace app.example.com and the PoC IDs with your real environment evidence.