Critical Auth Bypass in Global Payments Platform
A global payments platform needed a full application pentest before a Series B investor security audit.
CVE issued, critical auth bypass patched in 48h, zero breach cost.
Engagement Overview
A Series B fintech company processing $2B+ annually required a full-scope web application penetration test before their institutional investor security audit.
Challenge
The platform had grown rapidly with multiple engineering teams. Legacy API endpoints from an acquisition had never been fully reviewed. The security team suspected inconsistent auth enforcement but lacked the tooling to confirm.
Methodology
- Reconnaissance — passive OSINT, subdomain enumeration, endpoint discovery via JavaScript analysis
- Authentication testing — JWT manipulation, session fixation, IDOR across customer accounts
- Business logic — payment flow manipulation, balance tampering attempts
- Infrastructure — cloud misconfiguration review (AWS S3, IAM policies)
Findings
- Critical: Broken object-level authorization on legacy
/v1/API — any authenticated user could access another user’s transaction history by iterating account IDs - High: JWT algorithm confusion vulnerability allowing token forgery
- Medium (×4): Sensitive data in server responses, missing rate limiting on auth endpoints
Outcome
The critical IDOR was patched within 48 hours. A CVE was issued for the JWT vulnerability. The company passed their investor security audit. No breach occurred. Full remediation verified in a retest 30 days later.
Need a similar engagement?
Request a Pentest