Case Studies — Real-World Security Outcomes | Farchase
Farchase logo Farchase Services Chazer AI Book a Security Call
CASE STUDIES

Real-World Security Outcomes

Real vulnerabilities we found, the business impact they carried, and how they were fixed. All engagements anonymized — client names withheld to protect confidentiality.

100+Engagements
20,000+Vulnerabilities found
100%Fixes validated by retest
★ START HERE

Why Security Teams Choose Farchase

Manual, exploit-driven testing that finds the bugs your last pentest missed — delivered fast, and priced so you can do it often. See the depth, the proof, and the client attestation.

Read why teams switch →
30+
Penetration tests delivered
Depth · Speed · Price
The trade-off Farchase collapses
Attested by HackerRank
FEATURED SaaS Platform · Web App Pentest

Cross-account IDOR: one customer could edit another's data

During manual testing of object references, our researchers found that swapping a resource ID in an API request allowed authenticated users to read and modify resources belonging to other customer accounts — invisible to automated scanners because every response returned 200 OK.

Broken access control IDOR Manual-first
Read a full case study →
Impact
Cross-account data tampering across the entire customer base
Fix
Object-level authorization checks enforced on every resource access
Result
Fix verified through retest · reported live via the pentest portal

All Findings

Selected vulnerabilities across web, API, cloud & mobile engagements
CRITICAL SSRF · PDF Export CWE-918
SuperCMMS

HTML injection → SSRF via PDF export

Finding

An unsanitized Work Order title, rendered by a server-side PDF engine, forced the backend to make attacker-controlled outbound requests.

Impact

Internal service access, cloud metadata reach, and export DoS for all users.

Result

Output encoding + disabled remote fetches + egress allow-listing. Rated Critical (CVSS ~9.0).

CRITICAL Privilege Escalation CWE-285
B2B SaaS · GraphQL

Admin able to delete the Super Admin account

Finding

A missing server-side authorization check on the removeUser mutation let an Admin delete the highest-privileged Owner account.

Impact

Organization takeover and lock-out of legitimate administrators.

Result

Role-hierarchy authorization enforced server-side; deny by default. Rated Critical (CVSS up to 9.6).

Read the full technical write-up
HIGH IDOR / BOLA CWE-639
AI Chat · GraphQL

Injecting messages into a victim’s chat

Finding

Swapping two user-controlled IDs let any authenticated user write into — and read back — another user’s AI assistant conversation.

Impact

Cross-user message injection plus disclosure of the victim’s existing messages.

Result

Object-level ownership checks enforced across the reference chain. Rated High (CVSS ~7.6).

Read the full technical write-up
HIGH Web App Pentest CWE-89 · CWE-79
E-commerce

Critical SQL injection & stored XSS in customer flows

Finding

SQL injection and stored XSS in customer-facing flows, reachable pre-authentication.

Impact

Potential customer data leakage and session hijacking.

Result

Parameterized queries and output encoding applied; posture measurably improved.

HIGH Privilege Escalation CWE-269
B2B Application

Standard users performing admin-level actions

Finding

Lower-privileged users could perform admin actions via direct API calls.

Impact

Complete role-hierarchy bypass.

Result

Server-side RBAC validation added; confirmed fixed on retest.

HIGH Cloud Review CWE-732
B2B SaaS Provider

Public bucket + IAM chain to admin access

Finding

A public storage bucket and over-permissive IAM role chained into admin-level account access.

Impact

Full cloud-account compromise path.

Result

Bucket policies locked down and IAM roles right-sized; escalation path eliminated.

HIGH Mobile Pentest CWE-312
Consumer FinTech

Session tokens recoverable from lost devices

Finding

Session tokens and PII stored unencrypted on-device, recoverable from a lost or rooted phone.

Impact

Account takeover from physical device access.

Result

Keychain/Keystore storage + certificate pinning adopted; validated on retest.

MEDIUM Business Logic CWE-840
Developer Platform

Restricted actions possible before publication

Finding

A business-logic flaw allowed restricted actions on workflows before they were published.

Impact

Unauthorized access to unpublished workflows and pre-release functionality.

Result

Access control enforced at the API level; validated on retest.

PROGRAM Bug Bounty Management Managed program
SaaS Provider

Bug bounty program from zero to 100+ valid reports

What we did

Launched a bug bounty program from scratch — scoping, researcher onboarding, and full triage.

Challenge

No internal capacity to handle researcher reports and duplicates.

Result

100+ valid vulnerabilities reported within the first 3 months.

All engagement details anonymized to protect client confidentiality. References available on request under NDA.

Your Application Has Bugs Like These

Find them before attackers do — expert pentesting, Chazer AI, and live portal reporting.