What a SecPortal report looks like
This is a sample penetration testing report generated from SecPortal. Every report includes an executive summary, CVSS-scored findings, remediation guidance, and is fully customisable with your branding.
External Penetration Test
Penetration Test Report
SecPortal.io
14 Mar 2026 — 21 Mar 2026
Scope: app.secportal.io, api.secportal.io, *.secportal.io
Prepared by SecPortal
Generated on 22 Mar 2026
Section 1
Executive Summary
A penetration test was conducted against the SecPortal.io web application and API between 14 and 21 March 2026. The assessment identified 7 findings across the external attack surface, including 1 critical and 2 high severity issues requiring immediate remediation. The most significant finding is an unauthenticated SQL injection on the login endpoint that could allow complete database compromise.
Section 2
Findings Summary
| # | Finding | Severity | CVSS | Status |
|---|---|---|---|---|
| 1 | SQL Injection on Login Endpoint | critical | 9.8 | Open |
| 2 | Stored Cross-Site Scripting in User Profile | high | 8.1 | Open |
| 3 | Insecure Direct Object Reference on Invoice API | high | 7.5 | In Progress |
| 4 | Missing Rate Limiting on Authentication Endpoint | medium | 5.3 | Open |
| 5 | TLS 1.0 and 1.1 Supported | medium | 4.3 | Resolved |
| 6 | Verbose Error Messages Exposing Stack Traces | low | 3.1 | Open |
| 7 | Missing Security Headers | info | Open |
Section 3
Detailed Findings
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Asset
POST /api/auth/login
Description
The login endpoint is vulnerable to SQL injection via the username parameter. An unauthenticated attacker can extract the full database contents, bypass authentication, and in some configurations execute operating system commands. The parameter is concatenated directly into a SQL query without parameterisation or input validation.
Remediation
Use parameterised queries or a prepared statement API for all database interactions. Apply an allow-list input validation on the username field. Deploy a web application firewall rule to block common SQL injection patterns as an interim measure.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Affected Asset
PUT /api/users/profile
Description
The display name field in the user profile accepts arbitrary HTML and JavaScript. When an administrator views the user list, the injected script executes in the admin session context, enabling session hijacking or privilege escalation. The field is rendered without output encoding in the admin panel.
Remediation
Encode all user-supplied output using context-appropriate encoding (HTML entity encoding for HTML contexts, JavaScript encoding for script contexts). Implement a Content Security Policy (CSP) that disallows inline scripts. Validate and sanitise input on the server side before storage.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Asset
GET /api/invoices/{id}
Description
An authenticated user can access any invoice by enumerating the sequential invoice ID in the URL path. The API does not verify that the requesting user has authorisation to view the requested resource, allowing lateral access to other workspaces' billing data including names, addresses, and payment amounts.
Remediation
Implement server-side authorisation checks that verify the requesting user's ownership or role-based access before returning any resource. Replace sequential IDs with UUIDs to reduce enumerability. Add rate limiting on the endpoint to slow down automated enumeration attempts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Asset
POST /api/auth/login
Description
The login endpoint does not enforce rate limiting or account lockout after repeated failed authentication attempts. An attacker can perform unlimited credential stuffing or brute-force attacks against user accounts without triggering any defensive mechanism.
Remediation
Implement progressive rate limiting that increases delay after each failed attempt. Add a temporary account lockout after 10 failed attempts within a 15-minute window. Deploy CAPTCHA challenges after 5 consecutive failures. Log and alert on brute-force patterns.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Asset
app.secportal.io:443
Description
The server accepts connections using TLS 1.0 and TLS 1.1, both of which are deprecated and known to be vulnerable to BEAST, POODLE, and other downgrade attacks. PCI DSS 3.2.1 and later versions mandate disabling TLS 1.0.
Remediation
Disable TLS 1.0 and 1.1 in the web server and load balancer configuration. Enforce TLS 1.2 as the minimum supported protocol version, with TLS 1.3 preferred. Test with SSL Labs after changes to confirm the configuration.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Asset
app.secportal.io/*
Description
Application error responses include full stack traces, framework versions, and internal file paths. This information assists an attacker in identifying the technology stack and locating further vulnerabilities.
Remediation
Configure the application to return generic error messages in production. Log detailed error information server-side only. Implement a global error handler that catches unhandled exceptions and returns a standardised error response.
Affected Asset
app.secportal.io
Description
Several recommended security headers are missing from HTTP responses: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. While not directly exploitable, their absence reduces defence-in-depth.
Remediation
Add the following headers to all responses: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy with a restrictive default. These can be configured at the reverse proxy or CDN level.
This is what your clients see.
Every report is generated from real engagement data, fully branded to your organisation, and available as a downloadable PDF. AI-generated reports add executive narratives, risk prioritisation, and remediation roadmaps.