Web Application & API Penetration Test — Sample Report
A representative redacted Macksofy report for a mid-market BFSI client. Structure, severity scoring, MITRE ATT&CK mapping and remediation format mirror what we deliver on real engagements — all client identifiers removed.
1. Executive Summary
Macksofy Technologies executed a black-box and grey-box penetration test of Acme Bank Ltd’s customer-facing web banking portal and supporting REST APIs over 10 working days. The engagement was scoped to validate authentication, session handling, transaction integrity and adjacent infrastructure for the production-equivalent staging environment.
The team identified 23 distinct findings spanning authentication weaknesses, broken object-level authorisation, server- side request forgery, weak crypto on session tokens and several configuration issues on the AWS perimeter. Of these, 4 were rated Critical, 7 High, 9 Medium and 3 Low.
Key risks (board read)
- Account takeover via password-reset flaw — an attacker could compromise any customer account in under five minutes.
- Cross-account fund-transfer access via broken object-level authorisation on the transaction endpoint.
- SSRF in image-import permitted internal AWS metadata-service access; instance role credentials extractable.
- Missing TLS 1.3 enforcement on perimeter ALB allowed legacy cipher fallback.
2. Engagement Scope
| Client | Acme Bank Ltd (anonymised) |
| Engagement window | 10 working days · staging environment |
| Methodology | OWASP Web Testing Guide v4.2 · OWASP API Top 10 2023 · NIST SP 800-115 |
| In-scope assets | 1 × web app (12 user flows) · 1 × REST API (47 endpoints) · 1 × AWS account perimeter |
| Out of scope | Production data · DDoS testing · social engineering of staff |
| Rules of engagement | Black-box → grey-box · authenticated tests after credential supply on day 2 |
| Report format | CERT-In format · executive + detailed annexes |
| Tooling | Burp Suite Pro · custom scripts · Nuclei · Sliver C2 (post-ex only) |
3. Methodology
Macksofy follows a six-phase methodology refined over a decade of BFSI engagements:
- Reconnaissance — passive OSINT, DNS / ASN mapping, JS endpoint discovery.
- Threat modelling — attacker-profile drafting, asset criticality ranking.
- Vulnerability discovery — automated scans (Burp, Nuclei) + manual probing.
- Exploitation — chained vulnerabilities to prove real-world impact.
- Privilege escalation + lateral movement — AWS/identity layer, where in scope.
- Reporting — executive narrative + per-finding technical write-ups + remediation guidance.
4. Findings Register (Top 5)
Top five findings shown for sample purposes. Full report contains all 23 findings with proof-of-concept screenshots and remediation steps.
Authentication bypass via password-reset token re-use
POST /api/v2/auth/reset-confirm with token=<old-token>&new_password=<x> returned HTTP 200 — login succeeded with new credentials on subsequent /login.Broken object-level authorisation on transaction history
Request /api/v2/customers/4012/transactions while authenticated as customer 4011 returned 4012's full transaction history.Server-side request forgery via avatar-import
POST {url: 'http://169.254.169.254/latest/meta-data/iam/security-credentials/banking-app-role'} returned the AccessKey + SessionToken of the instance role.Weak session-token entropy
Generated 50 million candidate tokens for a one-hour window. 412 collided with active sessions during a controlled test.Missing rate limiting on login endpoint
5,000 login attempts in 60 seconds against test-user@acme — all returned within 200ms; no lockout triggered.5. MITRE ATT&CK Mapping
| Technique | Tactic | Observed |
|---|---|---|
| T1190 — Exploit Public-Facing Application | Initial Access | SSRF via image-import endpoint |
| T1078 — Valid Accounts | Initial Access | Password-reset bypass led to account takeover |
| T1552.005 — Cloud Instance Metadata API | Credential Access | AWS IMDSv1 reachable from SSRF |
| T1110.001 — Password Guessing | Credential Access | No rate-limit on login endpoint |
| T1213 — Data from Information Repositories | Collection | BOLA on transactions returned cross-customer data |
| T1071.001 — Application Layer Protocol | Command & Control | Outbound webhook abuse simulated |
6. Remediation Roadmap
Recommended remediation priorities, mapped to effort estimates and Macksofy’s suggested target dates assuming standard internal change-management cycles.
| Priority | Workstream | Effort | Target |
|---|---|---|---|
| P0 — Critical | Patch all 4 critical findings | 5–8 dev days | Within 7 days |
| P1 — High | Address authorisation gaps + SSRF guards | 8–12 dev days | Within 21 days |
| P2 — Medium | Hardening: rate-limits, headers, secret rotation | 10–14 dev days | Within 60 days |
| P3 — Low | Documentation + cosmetic fixes | 2–4 dev days | Within 90 days |
| Validation | Macksofy free retest | — | Within 30 days of remediation |
7. Auditor Statement
This engagement was performed by senior Macksofy consultants under a signed Mutual Non-Disclosure Agreement and Rules of Engagement executed on Day 0. The findings, severity ratings and recommendations contained in this report reflect the consultant team’s honest professional opinion based on testing in the agreed scope and time window.
Macksofy Technologies Pvt Ltd is empanelled by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology, Government of India, to perform information security audits.