Full Security Assessment Report
1. Executive Summary
Key Findings
- ● OAuth redirect_uri Accepts External Domains — CVSS 9.8 (CWE-601)
- ● OAuth redirect_uri Accepts Localhost — CVSS 9.1 (CWE-601)
- ● A10 — Server-Side Request Forgery Confirmed — CVSS 9.1 (CWE-918)
- ● Potential Race Condition — Transaction Endpoint Detected — CVSS 8.1 (A04:2021 — Insecure Design)
- ● CSRF Token Not Validated — CVSS 8.1 (A01:2021 — Broken Access Control)
- ● OAuth Missing State Parameter Validation (CSRF) — CVSS 8.1 (A07:2021 — Identification and Authentication Failures)
- ● 14 Medium severity vulnerabilities affecting application hardening and session security
- ● 6 Low severity findings covering information disclosure and DNS security controls
2. Risk Overview
3. Scan Details
| Domain | example-target.com |
| Scan Type | Web Application VAPT |
| Assessment Date | 25 May 2026 |
| Scan Duration | 87.3s |
| Methodology | Automated VAPT — 441 tests, 22 categories |
| Report ID | BCH-2026-SAMPLE-PAID |
4. Detailed Findings
Description
The OAuth endpoint allows redirection to attacker-controlled domains: REDIRECT_EVIL_ACCEPTED:https://evil.com/callback https://example-target.com.evil.com/callback https://evil.com%23@example-target.com/callback https://evil.com%40example-target.com/callback https://example-target.com@evil.com/callback. Authorization codes or tokens will be sent to the attacker, enabling full account takeover.
Impact
Complete account takeover — authorization codes or tokens delivered to the attacker grant full access to the user's account without their knowledge.
Evidence
Remediation
Enforce strict redirect_uri validation: exact match only, no wildcards, no open redirects. Register all valid redirect URIs server-side. Validate state parameter for CSRF protection.
Description
The OAuth authorization endpoint accepts redirect_uri=http://localhost, allowing attackers to steal authorization codes: endpoint:oauth/authorize status:301 location:location: https://example-target.com/oauth/authorize?response_type=code&client_id=test&redirect_uri=http://localhost/callback&scope=openid REDIRECT_LOCALHOST_ACCEPTED. On a compromised or shared machine, this enables account takeover.
Impact
Complete account takeover — authorization codes or tokens delivered to the attacker grant full access to the user's account without their knowledge.
Evidence
Remediation
Enforce strict redirect_uri validation: exact match only, no wildcards, no open redirects. Register all valid redirect URIs server-side. Validate state parameter for CSRF protection.
Description
SSRF vulnerability confirmed — application fetches attacker-controlled URLs: SSRF_CONFIRMED:url=http://127.0.0.1/(len:294) src=http://127.0.0.1/(len:294) href=http://127.0.0.1/(len:295) redirect=http://127.0.0.1/(len:299) proxy=http://127.0.0.1/(len:296) fetch=http://127.0.0.1/(len:296) load=http://127.0.0.1/(len:295) img=http://127.0.0.1/(len:294) link=http://127.0.0.1/(len:295) uri=http://127.0.0.1/(len:294) callback=http://127.0.0.1/(len:299) return=http://127.0.0.1/(len:297) next=http://127.
Impact
An attacker can scan internal network infrastructure, access cloud metadata endpoints (e.g., AWS IMDSv1), read internal service data, and potentially pivot to other systems.
Evidence
Remediation
Implement a URL allowlist for outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x, 169.254.x). Disable HTTP redirects in server-side requests.
Description
Adminer database manager is accessible: ADMINER_EXPOSED:adminer.php. This provides a single-file database management interface that supports MySQL, PostgreSQL, SQLite, and more.
Impact
Attackers can use disclosed information to map the application's technology stack, identify specific software versions with known vulnerabilities, and craft targeted exploits.
Evidence
Remediation
Disable debug mode and verbose error messages in production. Remove server version headers. Restrict access to administrative and diagnostic endpoints.
Description
Transaction endpoint found that should be tested for race conditions (RACE_CANDIDATE:api/redeem responses:). Concurrent requests may bypass balance checks or allow double-spending.
Impact
Attackers can exploit race windows to bypass business logic, double-spend credits or currency, or submit duplicate transactions, causing financial or data integrity loss.
Evidence
Remediation
Implement database-level locking or atomic transactions for state-modifying operations. Use idempotency keys on APIs. Add rate limiting per user per endpoint.
Description
State-changing endpoints accept requests from foreign origins without CSRF validation (CSRF_NOT_VALIDATED:api/profile(301) api/settings(301) api/account(301) api/password/change(301) api/email/change(301) api/transfer(301)). Attackers can perform actions on behalf of authenticated users.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
The OAuth callback endpoint does not validate the state parameter: endpoint:oauth/callback no_state:301 with_forged_state:301 STATE_NOT_ENFORCED. An attacker can perform login CSRF, linking their OAuth account to the victim's session.
Impact
Complete account takeover — authorization codes or tokens delivered to the attacker grant full access to the user's account without their knowledge.
Evidence
Remediation
Enforce strict redirect_uri validation: exact match only, no wildcards, no open redirects. Register all valid redirect URIs server-side. Validate state parameter for CSRF protection.
Description
Parameter input reflected in headers: location: https://example-target.com/?q=%0d%0aX-Injected:true
Impact
An attacker can inject malicious payloads to extract, modify, or delete data from backend systems, potentially gaining full control of the application and its data.
Evidence
Remediation
Implement parameterized queries for all database operations. Apply input validation and output encoding. Use an ORM or prepared statements instead of string concatenation.
Description
10 rapid login attempts were all processed without rate limiting (attempt_1:301 attempt_2:301 attempt_3:301 attempt_4:301 attempt_5:301 attempt_6:301 attempt_7:301 attempt_8:301 attempt_9:301 attempt_10:301 NO_RATE_LIMIT). Attackers can perform unlimited credential stuffing and brute-force attacks.
Impact
Unauthorized access to user accounts, sensitive data exposure, and potential privilege escalation to administrative functions.
Evidence
Remediation
Implement account lockout after failed attempts. Enforce strong password policies. Use multi-factor authentication. Ensure session tokens are regenerated after login.
Description
Login endpoint allows unlimited failed attempts without lockout (attempt_1:301 attempt_2:301 attempt_3:301 attempt_4:301 attempt_5:301 attempt_6:301 attempt_7:301 attempt_8:301 attempt_9:301 attempt_10:301 attempt_11:301 attempt_12:301 attempt_13:301 attempt_14:301 attempt_15:301 attempt_16:301 attempt_17:301 attempt_18:301 attempt_19:301 attempt_20:301 NO_LOCKOUT_AFTER_20). Accounts are vulnerable to brute-force password attacks.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
The OAuth endpoint accepts arbitrary scope values without validation: normal_scope_status:301 escalated_scope_status:301 SCOPE_ESCALATION_POSSIBLE. An attacker can request elevated permissions (admin, write, delete) that were not intended for their client.
Impact
Complete account takeover — authorization codes or tokens delivered to the attacker grant full access to the user's account without their knowledge.
Evidence
Remediation
Enforce strict redirect_uri validation: exact match only, no wildcards, no open redirects. Register all valid redirect URIs server-side. Validate state parameter for CSRF protection.
Description
The server held an incomplete HTTP connection open for 10+ seconds: CONNECTION_HELD_OPEN. Slowloris attacks can exhaust all available connections with minimal bandwidth.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
The server acts as an open DNS resolver, responding to recursive queries for external domains: OPEN_RESOLVER_DETECTED:;; Connection to 203.0.113.10#53(203.0.113.10) for google.com failed: timed out. ;; Connection to 203.0.113.45#53(203.0.113.45) for google.com failed: timed out. ;; no servers could be reached. Open resolvers are used in DNS amplification DDoS attacks with up to 70x amplification factor.
Impact
Attackers can perform DNS spoofing to redirect users to malicious sites, or send phishing emails impersonating the organization's domain.
Evidence
Remediation
Enable DNSSEC for the domain. Add CAA records to restrict certificate issuance. Configure SPF, DKIM, and DMARC records for email authentication.
Description
Endpoints that may accept URL parameters found: SSRF_CANDIDATES:api/fetch(301) api/proxy(301) api/url(301) api/redirect(301) api/image(301) api/preview(301) api/screenshot(301) api/webhook(301) api/callback(301). These should be tested for Server-Side Request Forgery to access internal services.
Impact
An attacker can scan internal network infrastructure, access cloud metadata endpoints (e.g., AWS IMDSv1), read internal service data, and potentially pivot to other systems.
Evidence
Remediation
Implement a URL allowlist for outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x, 169.254.x). Disable HTTP redirects in server-side requests.
Description
Administrative paths are accessible: ADMIN_ACCESSIBLE:/cpanel(unique_content). If these pages lack proper authentication, attackers can access admin functionality directly.
Impact
An attacker can inject malicious payloads to extract, modify, or delete data from backend systems, potentially gaining full control of the application and its data.
Evidence
Remediation
Implement parameterized queries for all database operations. Apply input validation and output encoding. Use an ORM or prepared statements instead of string concatenation.
Description
DMARC policy is p=none, providing monitoring only with no enforcement: DMARC_NONE:Policy is p=none — no enforcement. Record: v=DMARC1; p=none; rua=mailto:info@example-target.com v=DMARC1; p=none; rua=mailto:dmarc@example-target.com. Spoofed emails will be delivered normally.
Impact
An attacker can inject malicious payloads to extract, modify, or delete data from backend systems, potentially gaining full control of the application and its data.
Evidence
Remediation
Implement parameterized queries for all database operations. Apply input validation and output encoding. Use an ORM or prepared statements instead of string concatenation.
Description
Weak DKIM key detected: SELECTOR:google BITS:1296 SELECTOR:s1 BITS:2352 SELECTOR:s2 BITS:2352 DKIM_WEAK_KEY:google(1296bit). RSA keys shorter than 2048 bits are considered cryptographically weak and can be factored, allowing attackers to forge DKIM signatures.
Impact
Attackers can perform DNS spoofing to redirect users to malicious sites, or send phishing emails impersonating the organization's domain.
Evidence
Remediation
Enable DNSSEC for the domain. Add CAA records to restrict certificate issuance. Configure SPF, DKIM, and DMARC records for email authentication.
Description
Prototype pollution payload reflected in response, indicating server-side JS processes raw query params into object graph. Can lead to DoS or RCE in node.js apps.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
User input is reflected without encoding: XSS_REFLECTED:q(reflected) search(reflected) query(reflected) id(reflected) name(reflected) page(reflected) redirect(reflected) url(reflected) msg(reflected) error(reflected). If output encoding is missing, attackers can inject JavaScript to steal sessions, redirect users, or deface content.
Impact
An attacker can inject malicious payloads to extract, modify, or delete data from backend systems, potentially gaining full control of the application and its data.
Evidence
Remediation
Implement parameterized queries for all database operations. Apply input validation and output encoding. Use an ORM or prepared statements instead of string concatenation.
Description
One or more cookies are set without HttpOnly, Secure, or SameSite flags. This makes them vulnerable to XSS theft and CSRF attacks.
Impact
An attacker who exploits an XSS vulnerability or intercepts network traffic can steal session cookies, leading to account takeover and unauthorized access to user data.
Evidence
Remediation
Set Secure, HttpOnly, and SameSite=Strict flags on all session cookies. Ensure cookies are scoped to the minimum necessary domain and path.
Description
The server accepts potentially dangerous HTTP methods: ALLOWED:OPTIONS:301 ALLOWED:PUT:301 ALLOWED:DELETE:301 ALLOWED:PATCH:301. TRACE enables cross-site tracing, PUT/DELETE could allow unauthorized modifications.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
Admin endpoints found: /admin:301 /admin/:301 /wp-admin:301 /administrator:301 /phpmyadmin:301 /adminer:301 /manager:301
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
Duplicate parameters produce different responses — HPP may be exploitable
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
HTTP methods and responses: GET:301 POST:301 PUT:301 DELETE:301 PATCH:301 OPTIONS:301 HEAD:301 PROPFIND:301 MKCOL:301
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
Coupon or discount code endpoints found: COUPON_ENDPOINTS:api/coupon(301) api/discount(301) api/promo(301) api/v1/coupon(301) api/cart/coupon(301) api/apply-coupon(301) api/voucher(301). These should be tested for replay attacks, stacking, and brute-force of codes.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
API endpoint accepts rapid requests without throttling (NO_RATE_LIMIT:api after_15_requests). Missing rate limiting enables brute-force and denial-of-service attacks.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
API endpoint processes injected JSON parameters (JSON_INJECTION_SAFE:api/login). Mass assignment via extra parameters can escalate privileges.
Impact
An attacker can inject malicious payloads to extract, modify, or delete data from backend systems, potentially gaining full control of the application and its data.
Evidence
Remediation
Implement parameterized queries for all database operations. Apply input validation and output encoding. Use an ORM or prepared statements instead of string concatenation.
Description
Active subdomains without SPF records: SUBDOMAIN_SPOOFABLE:mail.example-target.com(no-spf). Attackers can spoof emails from these subdomains, which may bypass the parent domain's DMARC policy under relaxed alignment.
Impact
Attackers can perform DNS spoofing to redirect users to malicious sites, or send phishing emails impersonating the organization's domain.
Evidence
Remediation
Enable DNSSEC for the domain. Add CAA records to restrict certificate issuance. Configure SPF, DKIM, and DMARC records for email authentication.
Description
Certificate uses weak cryptographic algorithms: SIG: Signature Algorithm: ecdsa-with-SHA256 KEY:256bit WEAK_CRYPTO:weak_key(256bit). SHA-1/MD5 signatures and small key sizes are vulnerable to collision and factoring attacks.
Impact
Network traffic could be intercepted or downgraded by a man-in-the-middle attacker, exposing sensitive data in transit including login credentials and personal information.
Evidence
Remediation
Disable TLS 1.0/1.1 and SSLv3. Configure only strong cipher suites (AES-GCM, ChaCha20). Enable HSTS with a minimum max-age of 31536000. Ensure complete certificate chain is served.
Description
cPanel hosting panel found: CPANEL_DETECTED:port_2083(200) port_2087(200) /cpanel(200). Hosting control panels should be restricted by IP and secured with MFA.
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Evidence
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
Description
Ruby dependency files are accessible: GEMFILE_EXPOSED:Gemfile Gemfile.lock. These reveal all Ruby gems and versions used by the application.
Impact
Attackers can use disclosed information to map the application's technology stack, identify specific software versions with known vulnerabilities, and craft targeted exploits.
Evidence
Remediation
Disable debug mode and verbose error messages in production. Remove server version headers. Restrict access to administrative and diagnostic endpoints.
Description
Web service description files are accessible: WSDL_WADL_EXPOSED:application.wadl api.wadl. These reveal all SOAP/REST endpoints, operations, data types, and bindings.
Impact
Attackers can use disclosed information to map the application's technology stack, identify specific software versions with known vulnerabilities, and craft targeted exploits.
Evidence
Remediation
Disable debug mode and verbose error messages in production. Remove server version headers. Restrict access to administrative and diagnostic endpoints.
Description
DMARC not enforcing — spoofed emails are delivered: "v=DMARC1; p=none; rua=mailto:dmarc@example-target.com" "v=DMARC1; p=none; rua=mailto:info@example-target.com"
Impact
Attackers can perform DNS spoofing to redirect users to malicious sites, or send phishing emails impersonating the organization's domain.
Evidence
Remediation
Enable DNSSEC for the domain. Add CAA records to restrict certificate issuance. Configure SPF, DKIM, and DMARC records for email authentication.
Description
The Server header reveals software version information: server: cloudflare server: cloudflare. This helps attackers identify known vulnerabilities for the specific version.
Impact
Attackers can use disclosed information to map the application's technology stack, identify specific software versions with known vulnerabilities, and craft targeted exploits.
Evidence
Remediation
Disable debug mode and verbose error messages in production. Remove server version headers. Restrict access to administrative and diagnostic endpoints.
Description
API version endpoints found: API_VERSIONS:api/v1(301) api/v2(301) api/v3(301) v1(301) v2(301) v3(301) api/v1.0(301) api/v2.0(301). Older API versions may lack security controls present in current versions.
Impact
Attackers can use disclosed information to map the application's technology stack, identify specific software versions with known vulnerabilities, and craft targeted exploits.
Evidence
Remediation
Disable debug mode and verbose error messages in production. Remove server version headers. Restrict access to administrative and diagnostic endpoints.
Description
Magento version disclosed: MAGENTO_VERSION:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document ha. Outdated Magento versions are frequent targets for card skimming attacks.
Impact
Attackers can use disclosed information to map the application's technology stack, identify specific software versions with known vulnerabilities, and craft targeted exploits.
Evidence
Remediation
Disable debug mode and verbose error messages in production. Remove server version headers. Restrict access to administrative and diagnostic endpoints.
Description
Domain does not have DNSSEC signatures, making it vulnerable to DNS spoofing and cache poisoning attacks.
Impact
Attackers can perform DNS spoofing to redirect users to malicious sites, or send phishing emails impersonating the organization's domain.
Evidence
Remediation
Enable DNSSEC for the domain. Add CAA records to restrict certificate issuance. Configure SPF, DKIM, and DMARC records for email authentication.
Description
No DKIM records found for common selectors. DKIM provides email authentication to prevent message tampering in transit.
Impact
Attackers can perform DNS spoofing to redirect users to malicious sites, or send phishing emails impersonating the organization's domain.
Evidence
Remediation
Enable DNSSEC for the domain. Add CAA records to restrict certificate issuance. Configure SPF, DKIM, and DMARC records for email authentication.
Description
No X-Content-Type-Options: nosniff — MIME-sniffing attacks possible
Impact
This finding increases the overall attack surface and may be leveraged by attackers individually or as part of a chained exploit to compromise the application.
Remediation
Review and remediate according to the specific finding details. Follow OWASP guidelines and CERT-In advisories for applicable security hardening measures.
5. Security Insights & Compliance
Based on the assessment findings, the following areas require attention to strengthen your overall security posture and meet compliance requirements.
Security Posture
- Risk Score: 81/100
- 4 critical and 15 high-severity vulnerabilities require immediate attention
- 20 medium and low-severity findings represent ongoing risk
Compliance Readiness
- ISO 27001 — Security controls alignment assessment
- SOC 2 Type II — Trust service criteria evaluation
- DPDP Act 2023 — Data protection compliance review
- PCI DSS — Payment security standards check
Certification Support
- We help organizations achieve and maintain security certifications
- Gap analysis and remediation planning for compliance frameworks
- Continuous monitoring to maintain compliance posture
- Audit-ready documentation and evidence preparation
6. Next Steps
Every organization has unique security requirements. We provide customized remediation plans based on your business context, risk appetite, and compliance needs.
Request a Quote
Share your requirements and we'll prepare a customized remediation proposal.
Consultation Call
Discuss findings, business impact, and prioritization with our security team.
Remediation
Our engineers fix vulnerabilities with verification testing after each fix.
Help Us Understand Your Requirements
Share the following details when you reach out, so we can prepare an accurate proposal:
Business Context
- ○ Industry and type of application
- ○ Number of users / transactions handled
- ○ Type of data processed (PII, financial, health)
Security Priorities
- ○ Which findings are most critical to your business?
- ○ Any compliance requirements (ISO, SOC 2, PCI)?
- ○ Preferred timeline for remediation
Technical Environment
- ○ Tech stack and hosting environment
- ○ In-house dev team or outsourced?
- ○ Any existing security tools or processes?
Pricing is customized based on scope, complexity, and timeline.
7. Disclaimer
Scope
This assessment was limited to the target domain example-target.com and the specific tests performed during the scan period. The findings are based on the state of the application at the time of testing.
Authorization
This security assessment was performed with explicit authorization from the asset owner. All testing activities were conducted within the agreed-upon scope.
Limitations
Automated scanning may not detect all vulnerabilities. Findings should be validated and may require manual verification. The absence of a finding does not guarantee the absence of a vulnerability.
Confidentiality
This report contains sensitive security information and is intended solely for the authorized recipient. Do not distribute, copy, or share this document without written permission from both the asset owner and Bachao.AI.
Liability
Bachao.AI (Dhisattva AI Pvt Ltd) provides this report on an "as-is" basis. While every effort has been made to ensure accuracy, we do not warrant completeness. Remediation decisions remain the responsibility of the asset owner.