Sample Report — Redacted

Penetration Test Report

This is a redacted example showing the structure and quality of our reports. Actual client data has been replaced with sample data.

Client

[Redacted] — Fintech SaaS

Engagement Type

Full Application + API Test

Date

May 2026

Classification

CONFIDENTIAL

01

Executive Summary

RootDarth conducted a full-scope penetration test of [Client]'s web application, public APIs, and cloud infrastructure over a 10-day engagement. Testing followed OWASP Testing Guide v4.2 methodology and included both automated scanning and manual exploitation.

5 security findings were identified, including one Critical, two High, and two Medium severity vulnerabilities. The most significant finding was an SQL injection in the user profile API (CVSS 9.8) that would allow an unauthenticated attacker to extract the entire user database.

All findings have been reported with proof-of-concept exploitation steps and prioritized remediation guidance. The client's engineering team was briefed and fix verification retesting is scheduled.

02

Finding Summary

IDTitleSeverityCVSSStatus
F-001SQL Injection in User Profile APICritical9.8Confirmed
F-002Broken Object Level Authorization in Payment EndpointHigh8.1Confirmed
F-003S3 Bucket Misconfiguration — Public Read AccessHigh7.5Confirmed
F-004Stored XSS in Support Ticket SystemMedium6.1Confirmed
F-005Missing Rate Limiting on Login EndpointMedium5.3Confirmed

03

Sample Finding — Critical

F-001: SQL Injection in User Profile API (CVSS 9.8)

Description

The /api/v2/users/profile endpoint concatenates user-supplied input directly into a SQL query without parameterization. An unauthenticated attacker can inject arbitrary SQL commands, resulting in full database compromise.

Proof of Concept

GET /api/v2/users/profile?id=1'+OR+1=1-- HTTP/1.1
Host: api.prod.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Response (200 OK):
{
  "id": 1,
  "email": "admin@example.com",
  "name": "[Redacted]",
  "role": "admin",
  "hashed_password": "$2b$12$..."
}

The injection returns all users in the database, including administrator credentials.

Impact

An attacker can dump the entire database (users, transactions, PII), pivot to other internal systems, and escalate to full platform compromise. This finding affects all customers whose data is stored in the affected database.

Remediation

  1. 1.Replace string concatenation with parameterized queries (prepared statements) in all SQL operations.
  2. 2.Implement strict input validation on the id parameter — accept only numeric values.
  3. 3.Apply least-privilege database permissions — the application user should not have access to admin tables.

Every report includes:

Executive Summary
CVSS-Scored Findings
Proof-of-Concept Evidence
Remediation Guidance
Compliance Framework Mapping
Free Retesting
Technical Report (PDF)
Fix Verification