cd ../
[Independent Assessment] 2026-04-01

Security Assessment: Cytonn Web API Pentest Report

API SecurityPenetration TestingSecurity AssessmentWeb APIVulnerability Analysis

Application Security Assessment Report

Target System https://stage.sso.cytonn.com/ Scope API Endpoints

1. SQL Injection (Authentication Bypass)

Description

I identified a SQL Injection vulnerability in the /api/test-login endpoint. The application directly uses user input in SQL queries without proper sanitization.

Steps to Reproduce

I intercepted the request and sent the following payload:

POST /api/test-login
Content-Type: application/json

Observed Result

I observed that the query was manipulated, and the application returned SQL errors, confirming that input is not properly handled. This can also allow authentication bypass.

Fix

I recommend using parameterized queries:

DB::select('SELECT * FROM test_users WHERE email = ? AND password = ?', [$email, $password]);

Business Impact

This vulnerability can allow unauthorized access to user accounts and potentially lead to full database compromise and data breaches.

2. IDOR -- User Data Exposure

Description

I discovered that the /api/list-user/ endpoint allows access to any user's data by simply changing the ID in the request.

Steps to Reproduce

I sent the following requests:

GET /api/list-user/2

Expected Result

Users should only access their own data, or endpoints should require authentication.

Actual Result

Any user data can be accessed without restriction

No authentication required

I was able to retrieve different users' data, including email and password hashes, without authentication.

Fix

I recommend enforcing authentication and restricting access:

if (auth()->id() != $id) {
    // Deny access
}

Additionally, sensitive data like passwords should not be exposed even when hashed.

Business Impact

This exposes all user accounts, increasing the risk of account takeover and data breaches.

3. IDOR -- Financial Data Exposure

Description

I found that the /api/transactions?user_id= endpoint exposes transaction data for any user, sorry but actually all the users.

Steps to Reproduce

I tested the following:

GET /api/transactions?user_id=2

Observed Result

I was able to view financial transactions belonging to different users. I also noticed abnormal values such as negative transaction amounts.

Fix

I recommend removing user-controlled IDs and using the authenticated user:

$user_id = auth()->id();

Business Impact

This can lead to exposure of sensitive financial data and potential financial fraud.

4. Business Logic Flaw -- Invalid Transactions

Description

I observed that the system allows invalid transaction values such as negative amounts.

Evidence

Fix

I recommend validating inputs:

$request->validate([
    'amount' => 'required|numeric|min:0'
]);

Business Impact

This can allow manipulation of financial records and lead to financial loss.

5. Broken Access Control -- Admin Endpoint

Description

I discovered that the /api/admin/stats endpoint is accessible without authentication.

Steps to Reproduce

GET /api/admin/stats

Observed Result

I was able to access sensitive system data, including total users and transaction values.

Expected Result

Only authenticated admin users should access this endpoint.

Fix

I recommend enforcing authentication and role-based access control:

if (!auth()->check() || !auth()->user()->is_admin) {
    abort(403, 'Unauthorized');
}

Business Impact

Exposure of business-sensitive metrics

Reconnaissance for attackers

Can aid in targeted attacks

Conclusion

During this assessment, I identified multiple critical vulnerabilities mainly related to improper input handling and lack of access control. These issues can lead to unauthorized access, data exposure, and financial risks.

I recommend implementing proper validation, authentication, and authorization mechanisms to secure the application.

Critical Findings Summary

| # | Vulnerability | Severity | Affected Endpoint | Business Impact | Status | |---|-----------------------------------|---------------|-------------------------------|---------------------------------------------|---------| | 1 | SQL Injection | 🔴 Critical | /api/test-login | Account takeover, DB compromise | ❌ Open | | 2 | IDOR - User Data Exposure | 🔴 Critical | /api/list-user/ | Exposure of all user emails & hashes | ❌ Open | | 3 | IDOR - Financial Data Exposure | 🔴 Critical | /api/transactions?user_id= | Exposure of transaction records, fraud risk | ❌ Open | | 4 | Business Logic Flaw | 🟡 High | /api/transactions | Financial manipulation | ❌ Open | | 5 | Broken Access Control | 🔴 Critical | /api/admin/stats | Exposure of sensitive business data | ❌ Open |