Finance SaaS (anon)

Anonymised finance platform: Black-box pentest closed critical API gaps

40 hours, nine actionable findings and a clear remediation roadmap for product, compliance and sales.

40h
Time to test
9
Actionable findings
4
Stored XSS
2
Testers
Industry Financial services (SaaS)
Scope Web front-end & .NET API
Engagement Black-box pentest
Deliverables Report, prioritisation, remediation workshop

Engagement Overview

An independent financial planning platform (client anonymised) engaged us for a compact yet deep black-box pentest. The mandate: deliver clear visibility into critical risks within 40 hours and provide practical guidance for product, compliance and sales.

40 hours of testing

Two testers split their time across the API, front-end flows and high-risk business logic.

API-heavy scope

AngularJS front-end, .NET back-end - access control and tenant isolation fully enforced via API.

Deliverables

Technical report, executive summary, proof-of-concepts and a remediation workshop.

Rapid follow-up

The product team prioritised together with us and fixed the first items while testing was still ongoing.

Why anonymised?

All client details were removed or generalised. Findings, numbers and vulnerability categories reflect the real engagement.

Starting Point & Objectives

The platform processes highly sensitive personal and financial data. After an earlier assurance exercise, this engagement drilled into the application layer: authorisation, tenant boundaries and API workflows.

  • Black-box view: Only test accounts in a stage environment were provided.
  • Decision-ready output: Management demanded numbers, examples and a clear prioritisation.
  • Sales & audit support: Documentation needed to satisfy regulatory expectations in the financial sector.
  • Learning for engineering: Show how attackers bypass front-end validation in practice.

One constraint: e-mail integration was not yet connected. Provisioning took longer and an important attack surface remains to be tested - a topic captured in the wrap-up workshop.

Engagement Setup

Environment

Stage tenant on a dedicated sub-domain, version 1.58.x, demo data and the current API definition.

Tooling

Burp Suite (Proxy, Intruder, Bounty Pro, Param Miner), ffuf for endpoint discovery, custom wordlists.

Roles & permissions

Separate accounts for advisers and head office users enabled realistic privilege chains.

Collaboration

Daily syncs with product and engineering, live demos of critical findings for instant prioritisation.

Testing Strategy

To maximise value within 40 hours we structured the pentest into three workstreams:

1. Map the attack surface

Enumerated API routes, mapped tenant logic, highlighted privileged workflows and risky data flows.

2. Manual exploitation

Manual tests for IDOR/BOLA, stored XSS, CSRF and privilege abuse - combining front-end manipulation with direct API calls.

3. Reporting & workshop

Detailed findings with PoCs, CVSS, business impact plus a playbook for remediation and communication.

The key was to pair business logic understanding with targeted fuzzing to stress server-side validation and authorisation.

Results at a Glance

We identified nine actionable vulnerabilities. Four of them were stored XSS issues allowing attackers to execute code in other users’ browsers. We additionally discovered horizontal privilege escalation paths and missing safeguards around system-wide settings.

1 Critical (IDOR)
4 High (stored XSS)
2 Medium (CSRF, hash exposure)
2 Privilege abuse
From insight to action

The closing workshop delivered a prioritised roadmap: enforce server-side validation, add CSRF protection, sanitise user input and harden role management.

Technical Highlights

IDOR on user objects

Manipulating the person ID in /api/User exposed other customers’ contact data - a direct privacy violation.

Multiple stored XSS vectors

User management, invitations and property modules accepted HTML/script payloads despite client-side validation.

CSRF without tokens

State-changing GET endpoints reset calculation parameters and could be abused via basic HTML forms.

Privilege escalation through flags

Setting flags such as IsGlobalFile or IsRegistered changed behaviour (undeletable files, watermark-free PDFs).

Password hash leakage

The API returned password hashes. Combined with stored XSS this enables exfiltration and offline cracking.

Manual testing required

All major issues stemmed from logic flaws and missing server-side controls. Automated scanners struggle here - human-driven testing along real user journeys is essential.

Timeline & Collaboration

Days 1-2: Kick-off & Recon

Scope alignment, account provisioning, API mapping and first proof-of-concepts.

Days 3-7: Manual exploitation

Stored XSS exploitation, IDOR testing, privilege flag manipulation, CSRF prototypes.

Days 8-9: Reporting

Detailed write-ups, CVSS scoring, risk narratives and mitigation guidance.

Day 10: Workshop

Live walk-through, prioritisation session and definition of quick wins.

Business Impact

Sharper risk picture

Hard numbers, attack scenarios and priorities for leadership, product and sales teams.

Trust enabler

Executive-ready summary to support enterprise deals and regulatory reviews.

Process maturity

Server-side validation, CSRF protection and API hardening embedded into the SDLC.

Team enablement

Developers gained tangible insights into attacker techniques and now prevent similar bugs proactively.

“We trusted our front-end validation. The pentest showed how quickly attackers can bypass it. The report and live demos were a wake-up call for the entire team.”
Product Lead (anonymised) Financial SaaS provider

Recommendations & Next Steps

The pentest underlined how modern SaaS platforms depend on strict server-side validation, hardened authorisation and close control over privileged features.

Key recommendations

  • Backend first: Treat client-side validation as optional UI support; enforce validation and output encoding on the server.
  • CSRF strategy: Implement protection, especially for state-changing GET requests.
  • Role hardening: Restrict user flags to server-controlled flows and trim API responses to essential attributes.
  • Test e-mail workflows: Password reset, MFA and invitation flows need dedicated security testing.
  • Repeat pentests: Re-evaluate after major releases and retest critical findings.
Need similar assurance?

We combine focused pentests with actionable workshops and help teams close gaps fast. Talk to us about your scope.

Back to overview
We're here for you

Facing similar challenges?

Have questions about our services? We'd be happy to advise you and create a customized offer.

Quick Response

We'll get back to you within 24 hours

Privacy

Your data will be treated confidentially

Personal Consultation

Direct contact with our experts

Contact DSecured