Sanitized Report Sample

SaaS Application & API Security Review

A fictionalized demonstration of THF reporting depth for a multi-tenant SaaS product. Manual testing focused on APIs, access control, tenant isolation and business logic.

Request a Security ReviewJump to Example Finding

This sample is fictionalized and sanitized. It represents the format and level of detail used in THF engagements. It contains no client data.
01 — Executive Summary

Tenant Isolation Requires Immediate Attention

A multi-tenant SaaS platform was reviewed across its web application and REST API. Testing confirmed an authorization weakness allowing a low-privilege user to retrieve a record assigned to another tenant by changing an object identifier.

Authentication operated as expected; however, ownership was not consistently enforced after login. Because exploitation required only a standard account, the issue was assessed as release-blocking.

CriticalOverall risk level
1Critical finding
5Validated findings
02 — Engagement Scope

Authorized Test Boundaries

SurfaceCoverageRolesStatus
Web applicationAuth, sessions, workflowsStandard / AdminReviewed
REST APIObjects, exports, integrationsWorkspace A / BetaReviewed
Out of scopeDoS, social engineering, physicalExcluded
03 — Testing Methodology

Manual Product-Context Testing

01 Scope

Map users, tenants, sensitive objects and trust boundaries.

02 Test

Exercise authentication, authorization and business logic.

03 Validate

Confirm practical impact without unnecessary disruption.

04 Report

Provide reproducible evidence and engineering guidance.

05 Retest

Verify fixes and adjacent authorization controls.

Coverage is informed by OWASP ASVS, OWASP WSTG and the OWASP API Security Top 10, then extended through manual product-context testing.

04 — Risk Summary

Validated Findings

IDFindingSeverityStatus
THF-001Cross-tenant record accessCRITICALOpen
THF-002Privileged export available to standard usersHighOpen
THF-003Excessive customer metadataMediumOpen
THF-004Session remains active after resetMediumOpen
THF-005Internal object identifiers exposedLowOpen
05 — Example Finding

THF-001 — Cross-Tenant Record Access

SeverityCritical
CategoryBOLA / IDOR
CWECWE-639
EndpointGET /api/v1/records/{id}
Required accessStandard user

The endpoint verifies that the requester is authenticated but does not confirm that the requested record belongs to the requester’s tenant. A Workspace A user can replace a valid identifier with a Workspace B identifier and receive the record with HTTP 200.

06 — Business Impact

A Core SaaS Security Guarantee Is Broken

  • Cross-tenant disclosure of customer records
  • Contractual and regulatory exposure
  • Potential bulk extraction if identifiers are enumerable
  • Customer confidence and incident-response impact
Authenticated UserValid SessionObject Reference ManipulationMissing Ownership ValidationCross-Workspace AccessSensitive Data Exposure
07 — Technical Evidence

Observed Authorization Failure

Expected

HTTP/1.1 403 Forbidden
Content-Type: application/json

{ “error”: “access_denied” }

Observed

HTTP/1.1 200 OK
Content-Type: application/json

{
“record_id”: “rec_demo_8421”,
“tenant_id”: “tenant_beta”,
“customer_name”: “[REDACTED]”,
“status”: “active”
}

08 — Technical Reproduction

Reproduction Steps

  1. Sign in as the Workspace A standard user.
  2. Capture a valid record request.
  3. Replace the record identifier with the authorized Workspace B test record.
  4. Send the modified request.
  5. Observe HTTP 200 and confirm the token still belongs to Workspace A.
GET /api/v1/records/rec_beta_8421
Authorization: Bearer [REDACTED]

No administrative role was required. Testing was limited to authorized test records; no production customer data was accessed.

09 — Remediation Guidance

Enforce Ownership in the Data-Access Layer

Apply the authenticated tenant context to every server-side object lookup. Do not accept tenant identity from client-controlled input, and deny access by default.

record = records.find_one(
id = request.record_id,
tenant_id = authenticated_user.tenant_id
)
  • Constrain read, update, delete, export and batch operations
  • Centralize authorization policy where practical
  • Add automated cross-tenant regression tests
  • Log repeated object-identifier probing
  • Review adjacent endpoints using the same object model
10 — Retest Process

Closure Requires More Than One Denied Request

THF repeats the original attack, confirms same-tenant workflows remain functional, tests related operations and checks adjacent endpoints using the same authorization model.

ReportedRemediatedRetestedClosed

Possible outcomes: Resolved · Partially resolved · Not resolved · Risk accepted.

11 — Deliverables Included

Engineering-Ready Output

  • Executive summary and validated risk summary
  • Scope, methodology and technical findings
  • Sanitized evidence and reproduction steps
  • Business-impact analysis and remediation guidance
  • Engineering prioritization and optional remediation discussion
  • Retest support and final status update
Next Step

See What a Focused Review Would Find

Share the product area, API, release or workflow you want reviewed. THF will respond with practical scoping questions and a recommended testing approach.

Request a Security ReviewView Review Scope

NDA available • Scoped SOW • Secure access coordination • Retesting support