Full Penetration Test for a London B2B Software Company

Background

A London-based B2B SaaS company providing project management tooling for professional services firms engaged CyberneticsPlus for a comprehensive penetration test. The primary driver was SOC 2 Type II readiness — their enterprise sales pipeline included several US financial services firms requiring the audit report.

Environment in scope:

• Production web application (React SPA + Node.js/Express API)
• 4 API endpoints consumed by enterprise client integrations
• AWS infrastructure (2 accounts: production and staging)
• Multi-tenant architecture serving 180+ enterprise clients

The company had never had a formal penetration test performed. Internal security was limited to dependency scanning via Snyk and basic AWS Config rules.

Methodology

The engagement was conducted as a grey-box assessment. CyberneticsPlus was provided:

• Two standard user accounts (one free-tier, one paid enterprise-tier)
• One admin account
• API documentation for the integration endpoints
• Architecture diagram of the AWS deployment

The engagement ran over 10 business days.

Key Findings

Critical: Multi-Tenant Data Isolation Failure (IDOR)

Finding: The /api/v1/projects/{project_id} endpoint returned project data based on the provided project ID without verifying that the requesting user’s organisation owned the project. An authenticated user from Organisation A could retrieve full project data belonging to Organisation B by iterating project IDs.

Reproduction:

1. Authenticate as a user from Organisation A
2. Create a project → note assigned project ID (e.g., proj_8821)
3. Increment the ID and issue: GET /api/v1/projects/proj_8823
4. Response returned Organisation B’s project data including client names, project details, team members, and attached documents

Project IDs were sequential integers, making enumeration trivial. An attacker with a paid account could enumerate and download the projects and client data of all 180+ client organisations.

Business impact: Complete breach of multi-tenant data isolation. All client data accessible to any authenticated user. Reportable as a data breach under GDPR Article 33 (personal data of client company employees was in project records).

Fix implemented: The API route handler was updated to include an organisation ownership check. Every project query was joined against the authenticated user’s organisation ID, with any mismatch returning 403.

High: Stored XSS in Project Comment Field

Finding: The project comment field accepted HTML content and rendered it in the admin review interface without sanitisation. Any user who could post a comment could inject JavaScript that executed in an admin’s browser session.

Impact: An attacker could steal admin session cookies, escalate to admin access, and access all data in the admin panel.

Fix: Output encoding applied to all comment rendering using DOMPurify on the frontend, with server-side input validation rejecting comment bodies containing HTML tags.

High: S3 Bucket with Public Write Access

Finding: During the AWS assessment, one S3 bucket (company-assets-uploads) had a misconfigured bucket policy allowing public write access. The bucket was used for storing user-uploaded project attachments.

Impact: Any internet user could upload arbitrary content to the client’s S3 bucket — enabling hosting of malicious content under the client’s domain, storage exhaustion attacks, and bypassing the application’s virus scanning for user uploads.

Fix: Bucket policy updated to restrict uploads to authenticated AWS users only, with pre-signed URL uploads enforced at the application level.

High: Unauthenticated API Endpoint Exposing User Enumeration

Finding: The /api/v1/users/check-email endpoint — designed to check email address availability during signup — returned different responses for registered vs. unregistered email addresses. No rate limiting was applied.

Impact: An attacker could enumerate all registered email addresses by systematically checking addresses, enabling targeted phishing attacks against the company’s 180+ enterprise client organisations.

Fix: Response normalised to a consistent format regardless of registration status. Rate limiting applied at 10 requests per minute per IP.

Medium Findings (6 identified)

• Missing security headers (CSP, HSTS, X-Frame-Options)
• JWT tokens with 30-day expiry (excessive lifetime)
• Admin panel accessible without MFA
• Dependency with known CVE in the npm dependency tree (lodash 4.17.20)
• EC2 instances with IMDSv1 enabled
• CloudTrail not enabled in the us-west-2 region (partial coverage)

Low/Informational Findings (4 identified)

• Verbose error messages in API responses revealing internal stack details
• API versioning inconsistency (some v1 endpoints, some unversioned)
• Missing rate limiting on password reset endpoint
• Non-expiring API keys for integration clients

Outcomes

All 14 findings were remediated within 5 weeks of the report delivery. CyberneticsPlus conducted a retest to validate fixes:

• Critical IDOR: Confirmed resolved — tested with 50 cross-tenant access attempts, all returned 403
• High findings: All confirmed resolved
• Medium findings: All resolved
• Low findings: 3 of 4 resolved; 1 API key expiry policy deferred pending client migration (risk accepted with 90-day timeline)

The company proceeded to their SOC 2 Type II audit 8 weeks after the penetration test. The auditors reviewed the pentest report and remediation evidence. The audit was completed successfully with no security findings raised.

The company now conducts annual penetration tests and has implemented a quarterly internal security review process.