Penetration Test Report
Sample technical report from a network and web application penetration test, including a full attack chain narrative.
Penetration Test Report
Prepared for: Sample Client Environment
Illustrative data for demonstration purposes only
Scope
- • External network penetration test
- • Primary customer-facing web application
- • Grey-box testing with limited credentials
Executive Summary
Testing identified a critical attack chain allowing an unauthenticated external attacker to achieve full administrative access to the customer database. The chain began with an IDOR vulnerability in the customer portal, escalated through a misconfigured internal API, and ultimately exposed database credentials stored in an unprotected configuration endpoint. This path should be treated as an active business risk requiring immediate remediation.
1
Critical Findings
3
High Findings
4 hrs
Time to Initial Foothold
1.5 days
Time to Full Compromise
Findings
| Finding | Severity | Asset |
|---|---|---|
| IDOR in customer portal exposing other tenants' order data Implement object-level authorization checks server-side for every tenant-scoped resource. | Critical | portal.client.com/api/orders/{id} |
| Internal API accepts unauthenticated requests from portal network segment Require service-to-service authentication (mTLS or signed tokens) regardless of network origin. | High | internal-api.client.local |
| Database credentials exposed via unauthenticated debug endpoint Remove debug endpoints from production builds; rotate exposed credentials immediately. | High | internal-api.client.local/debug/config |
| Session tokens do not expire after password reset Invalidate all active sessions on password reset or credential change. | High | portal.client.com |
| Verbose error messages reveal internal stack traces Implement generic error responses in production; log details server-side only. | Medium | portal.client.com |
Recommendations
- Treat the IDOR-to-database-compromise chain as a critical incident requiring immediate remediation and credential rotation.
- Implement authorization checks at the object level across all multi-tenant API endpoints, not just at the route level.
- Schedule a re-test within 30 days to validate remediation of the full attack chain.
Want the full report for your environment?
This page shows illustrative sample data. Request a scoped engagement and we'll deliver the real thing for your organization.
Request This Report