RPA Security

RPA Platform: Penetration Test Uncovers Critical Vulnerabilities in Multi-Tenancy Environment

A German company for intelligent process automation commissioned us with a comprehensive 64-hour penetration test of their cloud-based RPA platform. The second test after one year showed significant improvements but uncovered 13 new vulnerabilities - including critical Local File Inclusion and missing authorization checks.

64h
Testing Time
13
Vulnerabilities Found
2
Critical Findings
100%
Fixed After Retest
Industry Robotic Process Automation (RPA)
Service Full Penetration Test (64 hours)
Technology .NET Backend + Angular Frontend
Testing Methodology Black Box + Grey Box

Project Overview

A leading company in Robotic Process Automation commissioned us for the second comprehensive penetration test of their cloud platform. The first test was about a year ago - time for significant developments and new features.

2
Critical
3
High
5
Medium
3
Low

Objectives & Scope

The RPA platform enables companies to automate complex business processes via a central web interface. As a multi-tenant system with different tenants, security of data separation was the main focus.

  • Black-Box Test: No source code access, realistic attacker perspective
  • Multi-Tenancy Focus: Prevent access to foreign tenant data
  • API Security: REST endpoints and public API functions
  • Authorization: Role-based access control across 12 test users

Result

Compared to the first test, the system was significantly more difficult to attack - a clear sign of successful security improvements. Nevertheless, new features and extended functionality introduced additional vulnerabilities that were quickly fixed.

Context & Challenges

The cloud-based RPA platform automates business processes for companies worldwide. As a SaaS solution with multi-tenancy architecture, security and data separation are business-critical.

Technical Stack & Architecture

  • Backend: .NET-based REST API with various endpoints
  • Frontend: Angular Single-Page-Application
  • Authentication: Token-based (Bearer Authentication)
  • Multi-Tenancy: Shared database with logical tenant separation

Special Challenges

The platform is not a complete multi-tenancy system with isolated environments per tenant. This shared architecture increases the risk of data leaks between tenants and requires particularly robust authorization checks.

Second Pentest After One Year

The first test had uncovered various vulnerabilities. The recommendations were implemented, leading to a significantly more secure system. However, new features brought new attack vectors.

Test Setup & Methodology

With 64 hours of testing time and two experienced penetration testers, a comprehensive black-box test was performed from an external attacker's perspective.

Black-Box Approach

No source code access - only documentation, Swagger API definition, and test credentials for realistic attacker perspective.

Role-based Testing

12 test users with different roles and permissions in separate tenants for comprehensive authorization testing.

Tools & Techniques

Burp Suite with AuthMatrix plugin for automated authorization testing. Manual analysis of all API endpoints.

Close Collaboration

Direct contact with the engineering team via Slack for quick clarification of technical questions during testing.

Focus Area

Main focus was on multi-tenancy security: Can a user from tenant A access data from tenant B? Additionally, classic OWASP Top 10 vulnerabilities were tested.

Significant Improvements Visible

The number of low and medium severity vulnerabilities decreased significantly compared to the first test. The team had taken the recommendations seriously.

Results at a Glance

We documented 13 actionable vulnerabilities in total. Compared to the first test, the total number decreased significantly, but new features also introduced new critical vulnerabilities.

2 Critical (LFI & SSRF)
3 High (Auth-Bypass & Path Traversal)
5 Medium (Clickjacking & Privilege Escalation)
3 Low (Information Disclosure)
Fast Implementation

The engineering team showed high responsiveness. Critical findings were prioritized and fixed within two weeks. A retest confirmed successful implementation.

Technical Highlights

The most sensitive vulnerabilities concerned data access and tenant separation - core risks for multi-tenant SaaS platforms.

Local File Inclusion & SSRF

Publicly accessible API endpoints allowed reading local server files and requests to internal systems - fixed through strict input validation.

Missing Authorization

Multiple endpoints did not properly check user roles. Users without permissions could execute sensitive functions - centralized auth checks implemented.

Path Traversal in Upload

File upload function was vulnerable to directory traversal attacks with filter bypass. Files could be written to foreign tenant directories.

IDOR in File Operations

Manipulation of user IDs enabled access to files of other tenants - server-side ownership validation added.

Clickjacking Vulnerability

Missing X-Frame-Options headers allowed UI redressing attacks - frame protection and CSP implemented.

Hidden Admin Role

Privilege escalation via hidden role possible, which could still be assigned - role removed and permission system revised.

Worst-Case Scenario

Through combination of path traversal and file upload, a shell could theoretically have been placed in the webroot. The testers could not find a path accessible via browser, but the risk was still classified as critical.

Business Impact & Value

The penetration test provided clear recommendations and prevented potential security incidents in the production environment of a business-critical SaaS platform.

Direct Value

  • Validation of Security Improvements: Confirmation that measures from the first test were successfully implemented
  • Risk Minimization Before Critical Features: New features could be rolled out securely
  • Prioritized Roadmap: Clear classification of all findings for efficient remediation
  • Continuous Improvement: Insights flowed into development processes

Prevented Risks

Without the test, the following scenarios would have been possible:

Data Leak Between Tenants

IDOR vulnerabilities would have enabled access to process automations and business data of other customers.

Server Compromise

Local File Inclusion enabled access to configuration files, secrets, and potentially customer data on the server.

Internal Network Reconnaissance

SSRF vulnerability would have enabled scanning of internal systems and access to cloud metadata APIs.

Loss of Trust

Security incidents in an RPA platform would have meant massive reputation damage and customer churn.

Measurable Improvement

The number of critical and high-severity vulnerabilities was significantly reduced between the first and second test. The team demonstrated strong security culture.

Lessons Learned & Next Steps

The second penetration test confirmed that continuous security testing is essential for rapidly growing SaaS platforms - especially for multi-tenancy architectures.

Recommendations for the Roadmap

  • Centralized Authorization: Unified auth checks across all API endpoints instead of scattered implementations
  • Input Validation as Standard: Whitelist-based validation for all user inputs, especially for file operations
  • Regular Pentests: For multi-tenant systems without complete isolation, quarterly tests should be standard
  • Security Awareness in Dev Team: Code reviews with security focus and training on OWASP Top 10 and API security
  • Monitoring & Detection: Anomaly detection for suspicious API access across tenant boundaries
Multi-Tenancy Security in Focus?

We support SaaS companies with regular penetration tests and security audits. Contact us for a no-obligation consultation.

Back to Overview
We're here for you

Similar Challenges?

Have questions about our services? We'd be happy to advise you and create a customized offer.

Quick Response

We'll get back to you within 24 hours

Privacy

Your data will be treated confidentially

Personal Consultation

Direct contact with our experts

Contact DSecured