Penetration testing

During a web application security assessment, we discovered that the /app/assets/i18n/en.json endpoint—intended for UI localization—was publicly accessible without authentication. The file contained far more than translation strings: it exposed 133+ internal database field names, entity structures, and business operation labels. A simple curl request returned 40KB of internal system metadata that directly mapped to the application's data

During assessment for one of our web clients, we discovered that the server reflected any Origin header value in its CORS response, combined with Access-Control-Allow-Credentials: true. This configuration allowed any external website to make authenticated requests on behalf of logged-in users. An attacker hosting a malicious page could silently fetch sensitive data from the application using the victim's session cookies.

Scope: We was given Swagger documentation of company new service APIs for release We found that the application’s JWT access tokens (used for API authentication in most of the APIs) had an unusually long validity period (e.g., 7–30 days) and were not tied to any server‑side revocation or rotation mechanism. Once issued, a stolen token remained valid until its natural expiration, regardless of logout, password change, or role changes. This meant an attacker who obtained a sing

During audits, we discovered multiple issues in the /internal/profile endpoint, used by the web app to fetch customer details. The endpoint accepted a profile_id parameter and returned full profile data without verifying that the requesting user actually owned that profile. By incrementing or iterating over profile_id values, an authenticated user could enumerate other customers’ records and retrieve PII (name, email, phone, partial address) under certain conditions. Escalati