Below is a sample from a real penetration test engagement. Every pentests.work report follows this format — clear findings, CVSS-rated severity, and actionable remediation steps.
CONFIDENTIAL
Prepared for: GoatHR, Inc.
Date: March 2026
Version: 1.0
Classification: Confidential
Target
GoatHR Application
Testing Dates
March 6–7, 2026
Methodology
OWASP WSTG
Total Findings
24 vulnerabilities
Executive Summary
pentests.work conducted an Advanced Web Application Penetration Test on the GoatHR application. The assessment covered the main web application, authentication flows, authorization controls, session management, and business logic.
The application exhibited significant security vulnerabilities requiring immediate attention. Nine critical findings — including SQL injection, OS command injection, directory traversal, and an exposed debug console — could allow an attacker to fully compromise the application, its underlying server, and all stored data.
We recommend prioritizing the critical and high-severity findings for immediate remediation. Medium and low findings should be addressed in the next development sprint.
Approach
Our methodology is based on the OWASP Web Security Testing Guide (WSTG), incorporating both manual and automated testing techniques for thorough coverage.
Summary of Findings
| Risk | ID | Vulnerability | CVSS |
|---|---|---|---|
| Critical | F-1 | [WSTG-CRYP-03] Login Credentials Transmitted Over Unencrypted HTTP | 9.0 – 10.0 |
| Critical | F-3 | [WSTG-INPV-05] SQL Injection in Login Form | 9.0 – 10.0 |
| Critical | F-4 | [WSTG-ATHZ-01] Complete Database Disclosure via Directory Traversal | 9.0 – 10.0 |
| Critical | F-5 | [WSTG-BUSL-01] OS Command Injection in Network Diagnostic Tools | 9.0 – 10.0 |
| Critical | F-7 | [WSTG-ATHN-04] SQL Injection Authentication Bypass | 9.0 – 10.0 |
| Critical | F-9 | [WSTG-CONF-02] Werkzeug Debug Console Exposed | 9.0 – 10.0 |
| High | F-10 | [WSTG-CLNT-03] Stored Cross-Site Scripting (XSS) in Employee Comments | 7.0 – 8.9 |
| High | F-11 | [WSTG-ATHZ-04] Insecure Direct Object Reference (IDOR) in Employee Profiles | 7.0 – 8.9 |
| High | F-12 | [WSTG-ATHN-09] Weak Password Change Functionality | 7.0 – 8.9 |
| High | F-13 | [WSTG-SESS-05] Cross-Site Request Forgery (CSRF) in Password Change | 7.0 – 8.9 |
| Medium | F-16 | [WSTG-APIT-05] Missing API Rate Limiting on Login Endpoint | 4.0 – 6.9 |
| Medium | F-18 | [WSTG-ERRH-01] Database Error Information Disclosure | 4.0 – 6.9 |
| Medium | F-19 | [WSTG-BUSL-02] Missing Authorization Controls for Employee Comments | 4.0 – 6.9 |
| Medium | F-24 | [WSTG-CONF-07] Missing Security Headers | 4.0 – 6.9 |
| Low | F-14 | [WSTG-SESS-02] Session Cookie Missing SameSite Attribute | 0.1 – 3.9 |
| Low | F-15 | [WSTG-INFO-02] Server Information Disclosure in Headers | 0.1 – 3.9 |
| + 8 additional findings included in the full report | |||
Vulnerability Details
Each finding includes a description, affected scope, and step-by-step remediation guidance. Showing 16 of 24 findings from this engagement.
Description
User login credentials (usernames and passwords) are transmitted over unencrypted HTTP connections. This makes them vulnerable to interception by attackers who can perform man-in-the-middle attacks, network sniffing, or have access to network traffic logs.
Remediation
Implement HTTPS for all authentication-related pages. Use secure authentication protocols. Implement proper session management over encrypted channels.
Description
The login form is vulnerable to SQL injection attacks. User input is directly concatenated into SQL queries without proper sanitization or parameterized queries. This allows attackers to manipulate SQL queries and potentially extract sensitive data or bypass authentication.
Remediation
Use parameterized queries or prepared statements instead of string concatenation. Implement proper input validation and sanitization. Apply the principle of least privilege to database connections.
Description
The file download endpoint is vulnerable to directory traversal, allowing an attacker to access any file on the server, including the application database. This leads to complete disclosure of all stored data including user credentials.
Remediation
Implement strict input validation for file paths. Use a whitelist of allowed files. Restrict file access to a designated directory. Apply the principle of least privilege to the application's file system access.
Description
The network diagnostic tools feature allows administrators to run ping and traceroute commands. The input is not properly sanitized, allowing an attacker to inject arbitrary operating system commands that execute with the application's privileges.
Remediation
Avoid passing user input directly to OS commands. Use parameterized APIs or libraries for network diagnostics. Implement strict input validation using an allowlist of permitted characters.
Description
The authentication mechanism can be completely bypassed using SQL injection. An attacker can log in as any user, including administrators, without knowing valid credentials.
Remediation
Use parameterized queries for all authentication logic. Implement multi-factor authentication as an additional layer of defense. Log and alert on suspicious authentication attempts.
Description
The application exposes the Werkzeug debug console in production, allowing unauthenticated remote code execution on the server. An attacker can execute arbitrary Python code with the application's privileges.
Remediation
Disable debug mode in production environments. Remove or restrict access to debug endpoints. Implement environment-specific configuration to prevent debug features from being enabled in production.
Description
The employee comments feature does not sanitize user input before storing and rendering it. An attacker can inject malicious JavaScript that executes in the browser of any user who views the employee profile.
Remediation
Sanitize all user input on the server side. Encode output using context-appropriate encoding. Implement Content Security Policy headers to mitigate the impact of XSS.
Description
The application does not verify that the authenticated user has authorization to view the requested employee profile. An attacker can access any employee's profile, including sensitive personal information, by simply changing the employee ID parameter.
Remediation
Implement server-side authorization checks for all resource access. Verify the authenticated user has permission to access the requested resource. Use indirect references or UUIDs instead of sequential IDs.
Description
The password change functionality does not require the current password to set a new one. Combined with other vulnerabilities such as CSRF, this allows an attacker to change any user's password without knowing their current credentials.
Remediation
Require the current password before allowing password changes. Implement rate limiting on password change attempts. Send email notifications when passwords are changed.
Description
The password change form does not implement CSRF protection. An attacker can craft a malicious page that changes the victim's password when they visit it while authenticated to the application.
Remediation
Implement anti-CSRF tokens for all state-changing operations. Use the SameSite cookie attribute. Require re-authentication for sensitive operations like password changes.
Description
The login endpoint does not enforce rate limiting. An attacker can perform unlimited password guessing attempts without being blocked or throttled.
Remediation
Implement rate limiting on authentication endpoints. Add progressive delays after failed attempts. Consider account lockout after a configurable number of consecutive failures.
Description
The application returns detailed database error messages to users, including SQL query fragments and database structure information. This information aids attackers in crafting targeted injection attacks.
Remediation
Return generic error messages to users in production. Log detailed errors server-side only. Implement a global error handler that strips sensitive data from responses.
Description
Any authenticated user can add, edit, or delete comments on any employee's profile regardless of their role or relationship to that employee. There are no authorization checks on the comment functionality.
Remediation
Implement role-based access controls for comment operations. Restrict comment modification to the comment author and administrators. Log all comment operations for audit purposes.
Description
Several recommended security headers are missing from the application's HTTP responses, including Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, and Permissions-Policy.
Remediation
Add security headers to all HTTP responses. Configure headers at the web server or reverse proxy level to ensure consistent application across all endpoints.
Description
The session cookie is set without the SameSite attribute. This may allow the cookie to be sent with cross-site requests, increasing the risk of CSRF attacks.
Remediation
Set the SameSite attribute to 'Strict' or 'Lax' on all session cookies. Review other cookies for appropriate SameSite settings.
Description
The server's HTTP response headers disclose detailed information about the server software, version, and underlying technologies. This information assists attackers in identifying known vulnerabilities for the specific software versions in use.
Remediation
Remove or obscure server identification headers. Configure the web server to suppress version information in HTTP responses.
Every Report Includes
Get a comprehensive penetration test with clear, actionable findings. Reports delivered in days, not weeks.
Get Started — From $1,499