| Client | [Company Name] |
| Target | [app.example.com] |
| Engagement | REKON-2026-001 |
| Date | 2026-03-01 — 2026-03-15 |
| Tier | Professional |
| Version | v1.0 |
Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-03-15 | Rekon Security Team | Initial release |
| 0.9 | 2026-03-14 | Rekon Security Team | Draft — internal review |
Distribution
| Name | Role | Access |
|---|---|---|
| [CTO Name] | CTO | Full report |
| [CISO Name] | CISO | Full report |
| [Dev Lead Name] | Engineering Lead | Findings + remediation |
Confidentiality Notice
This document contains confidential information belonging to [Company Name]. The findings, data, and recommendations herein are intended solely for the authorized recipients listed above. Unauthorized reproduction, distribution, or disclosure of this report or its contents is strictly prohibited. This report must be stored with encryption at rest and transmitted only via secure channels.
Methodology Standards
Score Card
| Total findings | 24 |
| Critical | 2 |
| High | 5 |
| Medium | 9 |
| Low | 6 |
| Info | 2 |
Risk Assessment
The assessment of [app.example.com] revealed 2 critical and 5 high severity vulnerabilities that pose immediate risk to user accounts and financial data. The most severe finding (REKON-F001) allows complete account takeover via OTP brute force in approximately 3.2 hours due to absent rate limiting on the authentication endpoint.
A multi-step attack chain combining three individual findings enables extraction of payment card data (PAN + CVV) from the digital wallet, representing a direct financial and compliance risk (PCI DSS violation).
Top Findings
Recommendation
Implement server-side OTP rate limiting within 72 hours and disable Cognito self-registration immediately. Schedule a retest after remediation of all critical and high findings.
Scope
| Asset | Type | Approach |
|---|---|---|
| app.example.com | Web Application | Black-box |
| api.example.com | REST API | Gray-box (Swagger docs) |
| auth.example.com | Auth Service (Cognito) | Black-box |
| *.example.com/admin | Admin Panel | Authenticated |
Testing Window
| Start | 2026-03-01 09:00 UTC |
| End | 2026-03-12 18:00 UTC |
| Duration | 10 business days |
| Hours | ~80 person-hours |
Methodology
Testing followed OWASP Web Security Testing Guide (WSTG v4.2) and the Penetration Testing Execution Standard (PTES). Each finding is mapped to CWE identifiers and OWASP Top 10 2021 categories. CVSS v3.1 scoring with full vector strings. All evidence artifacts are SHA-256 hashed for integrity verification.
Tools
Exclusions
Findings by Severity
2
CRITICAL
5
HIGH
9
MEDIUM
6
LOW
2
INFO
Findings by Category
| Category (OWASP) | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
| A07 — Identification & Auth Failures | 2 | 1 | 2 | 1 | 6 |
| A01 — Broken Access Control | — | 2 | 3 | 1 | 6 |
| A05 — Security Misconfiguration | — | 1 | 2 | 2 | 5 |
| A02 — Cryptographic Failures | — | 1 | 1 | 1 | 3 |
| A03 — Injection | — | — | 1 | 1 | 2 |
| A09 — Security Logging Failures | — | — | — | — | 2 |
Overall Risk Rating
Zero Rate Limiting on OTP Validation — Account Takeover
| CVSS | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-307 — Improper Restriction of Excessive Authentication Attempts | |
| OWASP | A07:2021 — Identification and Authentication Failures | |
| Target | POST /api/auth/validate-otp | |
Description
The OTP validation endpoint accepts unlimited authentication attempts without server-side rate limiting, account lockout, or exponential backoff. Testing confirmed that 20 consecutive requests with incorrect OTP codes all returned HTTP 401 with consistent response times (31-56ms), with no indication of throttling or quota enforcement.
Evidence
Impact
Any user account can be compromised via OTP brute force (~3.2 hours with HTTP/2 multiplexing for a 6-digit code). This grants full access to orders, shipping addresses, payment methods, and wallet balance. Estimated exposure: all active user accounts.
Remediation
IMMEDIATE: Server-side OTP attempt counter — max 5 per code lifetime
SHORT TERM: Account lockout after 10 failed attempts per hour with notification
LONG TERM: Migrate to TOTP (RFC 6238) or push-based MFA
Cognito Self-Registration Enabled — Unauthorized API Access
| CVSS | 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| CWE | CWE-287 — Improper Authentication | |
| OWASP | A07:2021 — Identification and Authentication Failures | |
| Target | AWS Cognito User Pool (us-east-1_XXXXXXX) | |
Description
The AWS Cognito User Pool has self-registration enabled via the SignUp API. Any unauthenticated user can register a new account by sending a direct SignUp request to Cognito, bypassing the application's intended registration flow. The newly created account receives valid JWT tokens that grant access to authenticated API endpoints.
Evidence
Impact
Attackers can create unlimited accounts with valid session tokens, gaining access to authenticated API endpoints. This serves as the entry point for the REKON-C001 attack chain that leads to wallet data exfiltration.
Remediation
IMMEDIATE: Disable AllowSelfSignUp in Cognito User Pool configuration
SHORT TERM: Implement pre-signup Lambda trigger for domain validation
postMessage Origin Bypass — Wallet Data Exfiltration
| CVSS | 8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| CWE | CWE-346 — Origin Validation Error | |
| OWASP | A01:2021 — Broken Access Control | |
| Target | app.example.com/wallet (postMessage handler) | |
Description
The wallet iframe communicates with the parent window via postMessage but does not validate the message origin. An attacker-controlled page can embed the wallet iframe and extract sensitive payment data (PAN, CVV, expiry) by sending crafted postMessage requests.
Evidence
Impact
Combined with F002 (Cognito self-registration), an attacker can create an authenticated session and extract payment card data from any user's wallet. Direct PCI DSS compliance violation.
Remediation
IMMEDIATE: Validate event.origin against allowlist in postMessage handler
SHORT TERM: Replace postMessage with server-side token exchange for sensitive data
| Priority | ID | Finding | Action | Effort |
|---|---|---|---|---|
| IMMEDIATE | F001 | OTP Rate Limiting | Server-side attempt counter — max 5/code | Hours |
| IMMEDIATE | F002 | Cognito Self-Registration | Disable AllowSelfSignUp in User Pool | Hours |
| SHORT TERM | F003 | postMessage Origin | Validate event.origin against allowlist | Days |
| SHORT TERM | F005 | CORS Wildcard | Restrict Access-Control-Allow-Origin | Days |
| MEDIUM TERM | F008 | Source Maps Exposed | Remove .map files from production CDN | Days |
| MEDIUM TERM | F012 | Session Fixation | Regenerate session ID after authentication | Weeks |
| LONG TERM | F015 | Missing CSP Headers | Implement Content-Security-Policy | Weeks |
| LONG TERM | F018 | WebAuthn Adoption | Implement passkeys for admin accounts | Months |
Priority Definitions
| Priority | Criteria | SLA |
|---|---|---|
| IMMEDIATE | Actively exploitable, critical business risk | 24–72 hours |
| SHORT TERM | High risk, requires architectural change | 1–2 weeks |
| MEDIUM TERM | Moderate risk, schedulable sprint work | 1–3 months |
| LONG TERM | Low risk, strategic security improvement | 3–6 months |
Combined CVSS: 9.8 · Chain of 3 findings · Full attack path verified
Chain Impact Assessment
This chain demonstrates how three individual vulnerabilities (two critical, one high) combine to create a complete financial data exfiltration path. While each finding is independently exploitable, the chain amplifies the business impact from unauthorized access to direct PCI DSS violation and potential regulatory fines. Remediating the break point (F002) severs the chain entirely.
Security Controls
| Control | Status | Effectiveness | Notes |
|---|---|---|---|
| WAF (Cloudflare) | Present | High | Blocked common OWASP payloads |
| TLS Configuration | Present | High | TLS 1.3 enforced, HSTS enabled |
| Bot Protection | Present | Partial | Bypassed with custom User-Agent rotation |
| Input Validation | Present | Medium | Server-side validation on most endpoints |
| Rate Limiting | Missing | N/A | No rate limiting on auth endpoints |
| MFA Enforcement | Partial | Low | OTP-only, no backup method |
| CSP Headers | Missing | N/A | No Content-Security-Policy header |
| Security Logging | Partial | Low | Auth events logged, no alert pipeline |
Negative Tests (Passed)
| Test Vector | Result | Notes |
|---|---|---|
| SQL Injection (all input points) | Not vulnerable | Parameterized queries confirmed |
| HTTP Request Smuggling | Not vulnerable | Cloudflare proxy prevents |
| Web Cache Deception | Not vulnerable | Cache-Control headers correct |
| XXE Injection | Not vulnerable | JSON-only APIs, no XML parsing |
| SSRF (out-of-band) | Not vulnerable | URL parsing with allowlist |
| Prototype Pollution | Not vulnerable | Object.freeze on config objects |
All evidence artifacts are stored in the accompanying REKON-2026-001-EVIDENCE.zip archive. SHA-256 hashes ensure integrity verification.
| ID | Type | Finding | Description | Timestamp (UTC) | SHA-256 |
|---|---|---|---|---|---|
| E001 | HTTP | F001 | OTP brute force — 20 sequential requests | 2026-03-05 14:22 | a1b2c3d4e5f6... |
| E002 | HTTP | F001 | Timing analysis — consistent 31-56ms response | 2026-03-05 14:25 | b2c3d4e5f6a7... |
| E003 | HTTP | F002 | Cognito SignUp API — account creation | 2026-03-06 09:41 | c3d4e5f6a7b8... |
| E004 | HTTP | F002 | JWT token — authenticated API access | 2026-03-06 09:43 | d4e5f6a7b8c9... |
| E005 | Script | F003 | postMessage PoC — wallet exfiltration | 2026-03-07 16:12 | e5f6a7b8c9d0... |
| E006 | Screenshot | F003 | Console output — PAN/CVV data | 2026-03-07 16:14 | f6a7b8c9d0e1... |
| E007 | Video | C001 | Full attack chain PoC — 4m22s | 2026-03-08 11:30 | a7b8c9d0e1f2... |
| E008 | HTTP | F005 | CORS wildcard response headers | 2026-03-09 13:55 | b8c9d0e1f2a3... |
| E009 | Screenshot | F008 | Source map file listing on CDN | 2026-03-10 10:18 | c9d0e1f2a3b4... |
File Naming Convention
Point-in-Time Assessment
This report represents a point-in-time assessment conducted during the testing window specified in Section 2. The security posture of the application may change after the assessment due to code deployments, configuration changes, or newly disclosed vulnerabilities. Findings are valid as of the testing end date and should be reverified during the retest window.
Scope Limitations
Testing was limited to the assets and methodologies defined in the Rules of Engagement (ROE) signed prior to the engagement. This assessment does not guarantee the absence of all vulnerabilities. Areas outside the defined scope, including but not limited to third-party services, mobile applications, and physical security, were not evaluated.
Liability
Rekon performed this assessment with reasonable skill and care in accordance with industry standards (PTES, OWASP WSTG v4.2, NIST SP 800-115). Rekon's liability is limited to the terms specified in the Master Service Agreement (MSA) and Statement of Work (SOW). Rekon is not responsible for any damages resulting from the exploitation of vulnerabilities identified in this report.
Retest Policy
| Tier | Retests | Window |
|---|---|---|
| Starter | 1 | 30 days |
| Professional | 2 | 60 days |
| Enterprise | Unlimited | 90 days |
Confidentiality
This document is classified as CONFIDENTIAL. Distribution is restricted to the authorized recipients listed in the Document Control section. Any unauthorized reproduction, distribution, or use of this report is strictly prohibited and may result in legal action.