Sanitized Report Sample
Sample Access Control Security Assessment Report

A fictionalized demonstration of THF reporting for SaaS authorization, IDOR/BOLA validation, privilege boundaries, tenant isolation, and business-logic access-control risk.

This sample is fictionalized and sanitized. It represents the format and level of detail used in THF engagements. It contains no client data.

01 — Executive Summary

Tenant Authorization Requires Immediate Attention

A fictionalized multi-tenant SaaS platform was reviewed across customer-record APIs, role-based workflows, export actions, GraphQL resolvers, and administrative permission boundaries.

Testing confirmed multiple broken access-control paths where a standard authenticated user could reach restricted records or privileged actions without the required tenant ownership validation.

CriticalOverall risk level
8Validated findings
ManualTesting approach
02 — Access Control Model Overview

Authorization Model Overview

BoundaryPurposeSecurity FocusStatus
Tenant isolationSeparate customer workspaces and recordsWorkspace ownership validationReviewed
Role enforcementRestrict actions by assigned rolePrivilege escalation and role tamperingReviewed
Object-level accessProtect individual records and exportsIDOR, BOLA, nested object accessReviewed
Administrative workflowsControl restricted actionsServer-side authorization checksReviewed
03 — Assessment Scope

Role and Permission Boundary Review

SurfaceCoverageRolesStatus
Customer Records APIRead, update, export, and nested record accessStandard / Manager / AdminReviewed
Billing recordsInvoices, subscriptions, and workspace billing dataStandard / AdminReviewed
Invite workflowRole assignment and user onboarding actionsMember / AdminReviewed
Out of scopePhysical testing, phishing, DoS, source-code reviewExcluded
04 — Authorization Threat Model

Tenant Isolation Validation

  • Cross-tenant object access through missing ownership validation.
  • Privilege escalation through role or tenant identifier manipulation.
  • Unauthorized exports of restricted records.
  • GraphQL resolver access without object-level authorization.
  • Administrative actions exposed to standard users.
05 — Authorization Decision Flow

Authorization Decision Flow

The access-control review validates whether each protected action reaches a server-side permit or deny decision through tenant, object, role, and business-rule checks.

AuthenticatedTenant MatchObject OwnershipRole AllowedBusiness RulePermit/Deny
06 — Cross-Tenant Access Testing

Cross-Tenant Access Testing

01

Map tenants, roles, objects, and protected workflows.

02

Capture valid requests across normal user journeys.

03

Manipulate object IDs, tenant IDs, role claims, and GraphQL variables.

04

Validate server responses, side effects, and access-control decisions.

05

Document evidence, business impact, remediation, and retest criteria.

06 — Validated Findings

Access Control Risk Summary

IDFindingSeverityStatus
THF-AC-001Cross-Tenant Record AccessCriticalOpen
THF-AC-002Privilege Escalation Through Role ManipulationCriticalOpen
THF-AC-003Missing Ownership Validation on Export EndpointHighOpen
THF-AC-004Insecure Direct Object Reference in Billing RecordsHighOpen
THF-AC-005Admin Action Exposed to Standard UserCriticalOpen
THF-AC-006GraphQL Resolver Missing Object-Level AuthorizationHighOpen
THF-AC-007Invite Workflow Allows Unauthorized Role AssignmentMediumOpen
THF-AC-008Internal Object Identifiers ExposedLowOpen
07 — Example Critical Finding

THF-AC-001 — Cross-Tenant Record Access Through Missing Ownership Validation

Critical

Category: Broken Access Control / BOLA / IDOR

CWE: CWE-639

Affected Component: Customer Records API

Required Access: Standard Authenticated User

Risk: Unauthorized access to another tenant’s records

Finding Summary

The Customer Records API accepted a record identifier from the client and returned the requested object without validating that the authenticated user belonged to the same workspace as the protected record.

08 — Business Impact

Cross-Tenant Exposure Risk

This issue could expose customer records across organization boundaries, allow unauthorized access to restricted business data, damage customer trust, create contractual and compliance exposure, and increase incident response burden if exploited at scale.

09 — Technical Evidence

Illustrative Request and Response Evidence

Expected Behavior

GET /api/v1/customer-records/rec_workspace_b_7429 HTTP/1.1
Host: app.example.invalid
Authorization: Bearer <workspace-a-user-token>
X-Workspace-ID: workspace_a

HTTP/1.1 403 Forbidden
{
  "error": "record_not_accessible"
}

Observed Behavior

GET /api/v1/customer-records/rec_workspace_b_7429 HTTP/1.1
Host: app.example.invalid
Authorization: Bearer <workspace-a-user-token>
X-Workspace-ID: workspace_a

HTTP/1.1 200 OK
{
  "record_id": "rec_workspace_b_7429",
  "workspace": "Workspace B",
  "resource": "Protected Resource"
}
10 — Reproduction Steps

Safe Sanitized Reproduction

  1. Sign in as a standard user in Workspace A.
  2. Capture a valid request for an owned record.
  3. Replace the record identifier with a fictional Workspace B record ID.
  4. Replay the request.
  5. Observe unauthorized access with HTTP 200.
11 — Remediation Guidance

Recommended Fixes

  • Enforce tenant ownership server-side.
  • Validate object ownership on every read, update, and export action.
  • Do not trust client-provided tenant or role identifiers.
  • Centralize authorization checks.
  • Add regression tests for cross-tenant access.
  • Log repeated object-ID probing.
  • Review GraphQL resolvers and nested object access.
  • Apply deny-by-default authorization behavior.
12 — Access Control Best Practices

Access-Control Retest Criteria

  • Authorization is enforced in the server-side data-access layer.
  • Every object lookup validates tenant and ownership before returning data.
  • Role changes and privileged actions require explicit permission checks.
  • GraphQL resolvers enforce object-level authorization for nested resources.
  • Security tests include negative cases across users, tenants, and roles.
13 — Deliverables Included

Engineering-Ready Output

  • Executive summary and validated access-control risk summary
  • Authorization model and testing scope
  • Sanitized evidence and reproduction steps
  • Business-impact analysis
  • Remediation guidance
  • Retesting criteria
Next Step

Validate Your Access Control Before Attackers Do

Share the product area, API, release, or workflow you want reviewed. THF will respond with practical scoping questions and a recommended access-control testing approach.

Request a Security ReviewView Resources