Sample Security Assessment Report
Client: Demo Client Ltd.
Target: https://demo-client.example
Assessment Type: Web Application and API Security Assessment
Report Classification: Confidential / Redacted Sample
Prepared by: NYOXA LABS
Date: 2026-05-29
This is a fictional sample report created for demonstration purposes. It does not represent a real client, real system, or real vulnerability.
Executive Summary
NYOXA LABS performed a scoped security assessment of the Demo Client web application and selected API endpoints. The assessment focused on authentication, authorization, session handling, sensitive data exposure, API behavior, and common web security controls.
The assessment identified one High severity issue, two Medium severity issues, two Low severity issues, and several positive security observations. The most important risk was an authorization gap that allowed a standard test user to access metadata belonging to another test account under specific conditions.
No destructive testing was performed. Testing was limited to the approved fictional demo scope.
Scope
| Item | Details |
|---|---|
| Primary web app | https://demo-client.example |
| API base URL | https://api.demo-client.example/v1 |
| User roles tested | Standard User, Manager User |
| Testing type | Authenticated and unauthenticated review |
| Exclusions | Payment processor, third-party analytics, production email delivery |
Severity Summary
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 1 |
| Medium | 2 |
| Low | 2 |
| Informational | 3 |
| Secure / Passed | 5 |
Findings Summary
| ID | Severity | Finding | Status |
|---|---|---|---|
| NYX-WEB-001 | High | Insecure Object-Level Authorization on Report Metadata | Open |
| NYX-WEB-002 | Medium | Missing Rate Limit on Password Reset Request | Open |
| NYX-WEB-003 | Medium | Sensitive Internal Error Message Disclosure | Open |
| NYX-WEB-004 | Low | Missing Content Security Policy Header | Open |
| NYX-WEB-005 | Low | Session Cookie Missing SameSite Attribute | Open |
Detailed Finding: NYX-WEB-001
Insecure Object-Level Authorization on Report Metadata
Severity: High
Affected asset: https://api.demo-client.example/v1/reports/{report_id}
Status: Open
Summary
A standard authenticated test user could access limited report metadata associated with another test user by changing a report identifier in an authorized API request.
Business Impact
If present in a real application, this type of issue could expose sensitive customer records, internal workflow data, or business information across accounts. In multi-user or multi-tenant systems, authorization boundaries are critical to customer trust.
Evidence
- Test User A could view their own report metadata as expected.
- Changing the report identifier to a record associated with Test User B returned metadata that should not be visible to Test User A.
- Sensitive values are redacted in this sample.
Recommended Fix
Ensure the backend verifies that the authenticated user has permission to access the requested report object before returning any data. Authorization checks should be enforced server-side for every object-level request and should not rely only on hidden UI controls.
Retest Guidance
Retesting should confirm that Test User A can access only their own report objects and receives an appropriate unauthorized or not-found response when attempting to access another user’s objects.
Detailed Finding: NYX-WEB-002
Missing Rate Limit on Password Reset Request
Severity: Medium
Affected asset: Password reset flow
Status: Open
Summary
The password reset request endpoint did not show clear rate limiting during the assessment window.
Business Impact
Without rate limiting, attackers may abuse password reset emails, create user frustration, or use the endpoint for account enumeration attempts depending on response behavior.
Recommended Fix
Apply rate limiting by IP address, account identifier, and time window. Use generic responses that do not reveal whether an account exists.
Detailed Finding: NYX-WEB-003
Sensitive Internal Error Message Disclosure
Severity: Medium
Affected asset: Web application error handling
Status: Open
Summary
The application returned internal error details during malformed input testing.
Business Impact
Verbose errors can reveal framework details, internal paths, or debugging information that helps attackers understand the application.
Recommended Fix
Return generic error messages to users and log detailed errors server-side for developers.
Positive Security Observations
- Authentication was required for protected dashboard routes.
- Test user sessions expired after logout.
- HTTPS was enforced on the primary application.
- Administrative functions were not publicly linked.
- No public directory listing was observed during the assessment.
Retesting Status
Retesting was not performed in this sample report. A real retest would verify each reported issue after remediation and update status to Fixed, Partially Fixed, Not Fixed, Risk Accepted, or Not Retested.
