Сase study:
SaaS Platform
Penetration test for B2B SaaS Platform
Client: A B2B SaaS platform for financial and accounting process automation for small businesses
Objective: Identify vulnerabilities that could compromise data confidentiality and platform integrity
Testing Approach: Grey Box Penetration Testing
Timeline: 10 business days
What We Did:
Our team was granted access to limited user accounts (with “Project Manager” roles) and basic API documentation.
The primary focus was on verifying access control between users with different roles. One of the test scenarios included analyzing how the backend handled unauthorized access to resources via direct API calls. This led to the discovery of a vertical privilege escalation vulnerability.
Key Findings
Due to missing backend authorization checks, a user with basic privileges could access another organization’s financial data by simply changing the organization_id parameter in an API request.
Severity: High (CWE-862: Missing Authorization)
.png)
Risk: Exposure of confidential business data, GDPR violations
Methodologies we use
Recommendations
The vulnerability was patched within 48 hours by the client’s development team.
Implement encryption for data at rest and in transit to protect sensitive information from unauthorized access.
The client requested a follow-up security code review for key platform modules.
Are you interested in learning more about this case or do you have similar security needs?
This case shows how seemingly isolated user accounts can pose a significant risk when authorization mechanisms are not properly enforced. Penetration testing is not just about breaking into systems — it’s about building trust and resilience.
.png)