This is a redacted example showing the structure and quality of our reports. Actual client data has been replaced with sample data.
Client
[Redacted] — Fintech SaaS
Engagement Type
Full Application + API Test
Date
May 2026
Classification
CONFIDENTIAL
01
RootDarth conducted a full-scope penetration test of [Client]'s web application, public APIs, and cloud infrastructure over a 10-day engagement. Testing followed OWASP Testing Guide v4.2 methodology and included both automated scanning and manual exploitation.
5 security findings were identified, including one Critical, two High, and two Medium severity vulnerabilities. The most significant finding was an SQL injection in the user profile API (CVSS 9.8) that would allow an unauthenticated attacker to extract the entire user database.
All findings have been reported with proof-of-concept exploitation steps and prioritized remediation guidance. The client's engineering team was briefed and fix verification retesting is scheduled.
02
| ID | Title | Severity | CVSS | Status |
|---|---|---|---|---|
| F-001 | SQL Injection in User Profile API | Critical | 9.8 | Confirmed |
| F-002 | Broken Object Level Authorization in Payment Endpoint | High | 8.1 | Confirmed |
| F-003 | S3 Bucket Misconfiguration — Public Read Access | High | 7.5 | Confirmed |
| F-004 | Stored XSS in Support Ticket System | Medium | 6.1 | Confirmed |
| F-005 | Missing Rate Limiting on Login Endpoint | Medium | 5.3 | Confirmed |
03
F-001: SQL Injection in User Profile API (CVSS 9.8)
The /api/v2/users/profile endpoint concatenates user-supplied input directly into a SQL query without parameterization. An unauthenticated attacker can inject arbitrary SQL commands, resulting in full database compromise.
GET /api/v2/users/profile?id=1'+OR+1=1-- HTTP/1.1
Host: api.prod.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Response (200 OK):
{
"id": 1,
"email": "admin@example.com",
"name": "[Redacted]",
"role": "admin",
"hashed_password": "$2b$12$..."
}The injection returns all users in the database, including administrator credentials.
An attacker can dump the entire database (users, transactions, PII), pivot to other internal systems, and escalate to full platform compromise. This finding affects all customers whose data is stored in the affected database.
id parameter — accept only numeric values.