Engagement type: Comprehensive web application security assessment · Sector: BFSI / Fintech · Duration: 4–6 weeks · Outcome: Audit-ready posture
Context
A leading Indian fintech marketplace — a consumer-facing platform serving millions of users across credit, lending, and personal finance products — engaged us to conduct a comprehensive security assessment of their public web application ahead of their annual external audit and a major product launch.
The objective was to identify both surface-level and deep business-logic vulnerabilities, prioritise them by real-world risk, and deliver a remediation roadmap their engineering team could execute against in time for the audit window.
Scope
- Public consumer web application — product discovery, comparison, and application flows
- Authenticated user dashboards — account management, loan applications, document handling
- KYC and document upload pipelines, including OCR-driven verification steps
- Integration boundaries with payment processors (review only — not the processors themselves)
- API endpoints serving the web frontend
- Administrative interfaces (separately accessed)
Methodology
- OWASP Top 10 (2021) end-to-end coverage
- OWASP ASVS Level 2 verification mapped to applicable controls
- PTES-aligned engagement workflow — reconnaissance, threat modelling, vulnerability analysis, exploitation, post-exploitation
- Manual testing for business-logic flaws in multi-step approval flows (credit application, KYC, document review)
- Automated discovery via Burp Suite Professional, with custom extensions for the application’s auth and signing patterns
- Authenticated + unauthenticated session perspectives, plus role-boundary testing across user, agent, and admin contexts
Categories of findings
Without disclosing specifics covered under NDA, the engagement surfaced issues across:
- Authorisation: identifier-based access control gaps (IDOR-class) in API endpoints serving customer-facing dashboards
- Business logic: workflow tampering in multi-step credit-application states
- Input validation: server-side trust issues in legacy modules carried forward from prior platform versions
- Session management: cross-channel session reuse and lifetime configuration weaknesses
- Configuration hygiene: third-party SDK posture, TLS edge cases, and response header gaps
- Information disclosure: error responses and debug endpoints revealing internal implementation details
Deliverables
- Executive summary deck for leadership — risk posture, top business risks, recommended priorities
- Engineering-facing technical report — finding-by-finding, with reproduction steps, evidence, and code-level remediation guidance where applicable
- Remediation tracker sheet mapping each finding to owner, severity, and target close date
- Retest cycle verifying remediation of every Critical and High-severity finding, at no additional cost
Outcome
- All Critical and High-severity findings remediated and retested within the engagement window
- Client passed their external audit cleanly in the following cycle
- The application’s authorisation model was refactored across two affected services, eliminating an entire class of IDOR-style issues
- Engineering team adopted continuous security review patterns in their CI/CD for the modules covered
Specific finding counts, severities, and metrics omitted under the engagement NDA.
Want a similar engagement?
If you’re preparing for an audit, launching a new product, or just want senior-led, OWASP/PTES-aligned web application testing — talk to us. We work end-to-end with your engineering team, not against them.