HackVitraSec - Cybersecurity Company India | VAPT, Ethical Hacking, Web App Security

Case Study: Broken Authentication in SaaS Platform

Client Type: B2B SaaS | Engagement: Security Audit | Date: June 2025

Background

A fast-scaling SaaS company approached HackVitraSec for a proactive security assessment. Their product serves 25,000+ business accounts and handles sensitive CRM and billing data.

Vulnerability Details

We discovered a Broken Authentication flaw. The "role" parameter in account update requests was modifiable by low-privileged users, allowing them to escalate to admin access.

Example: { "user_id": 312, "role": "admin" } — accepted without any backend verification.

Impact

  • Unauthorized access to dashboards, user data, and billing
  • Audit logs and sensitive reports were downloadable
  • Potential GDPR/ISO compliance violations

Remediation

  • Backend validation added to restrict role modification by non-admins
  • Logs now trigger alerts on suspicious privilege changes
  • All privileged routes now enforce token-based access control

Recommendations

  • Never trust client-side role assignments
  • Use RBAC (Role-Based Access Control) enforced server-side only
  • Conduct regular VAPT audits and access control reviews

Need a Security Audit?

Contact HackVitraSec Today
Back to Case Studies