The latest articles on DEV Community by Provecore Security (@kortali). https://dev.to/kortali https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3864807%2F9f99699b-990c-4bb7-b33c-801de068aa3d.png https://dev.to/kortali en Provecore Security Tue, 07 Apr 2026 03:32:44 +0000 https://dev.to/kortali/the-5-vulnerability-classes-that-appear-in-almost-every-b2b-saas-pentest-5dcb https://dev.to/kortali/the-5-vulnerability-classes-that-appear-in-almost-every-b2b-saas-pentest-5dcb <h2> 1. Broken Object Level Authorization (BOLA/IDOR) </h2> <p>An authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. Multi-tenant SaaS applications share infrastructure across customers. If your API checks authentication but not authorization at the object level, one customer can read another customer's data by changing an ID.</p> <p>We find this in direct object references in REST endpoints, GraphQL queries that accept tenant-crossing IDs, and batch endpoints that skip per-item authorization checks.</p> <p><strong>Fix:</strong> Implement object-level authorization in the data access layer. Verify that the requesting user's organization owns the requested resource before returning any data.</p> <h2> 2. Broken Authentication — JWT Implementation Errors </h2> <p>Flaws in how JSON Web Tokens are created, validated, or managed. Common patterns: algorithm confusion (RS256 to HS256 downgrade), missing expiration validation, weak signing secrets, and tokens that survive logout.</p> <p>JWTs are the dominant auth mechanism for SaaS APIs. A signing flaw means full authentication bypass — any user, any role, any tenant.</p> <p><strong>Fix:</strong> Explicitly specify the allowed algorithm. Never accept the algorithm from the token header. Enforce expiration. Use strong, rotated signing keys.</p> <h2> 3. Mass Assignment </h2> <p>An API endpoint accepts request body fields that should not be user-controllable — like <code>role</code>, <code>is_admin</code>, or <code>plan_tier</code>. SaaS products with rich data models that auto-bind request bodies to model attributes are especially vulnerable.</p> <p>We typically find user profile endpoints that accept role changes, subscription endpoints where plan_tier can be overwritten, and invitation endpoints where permissions can be injected.</p> <p><strong>Fix:</strong> Use explicit allowlists for every endpoint that accepts user input. Never auto-bind request bodies to database models without filtering.</p> <h2> 4. Server-Side Request Forgery (SSRF) </h2> <p>An attacker causes your server to make HTTP requests to internal services or cloud metadata endpoints. Cloud-hosted SaaS applications run alongside metadata services, internal APIs, and microservices. Webhook delivery, file import, and URL preview features are common entry points.</p> <p><strong>Fix:</strong> Restrict outbound requests to permitted hosts. Block private IP ranges and cloud metadata endpoints at the network level.</p> <h2> 5. Business Logic Flaws </h2> <p>Vulnerabilities unique to your product's business rules. Coupon codes applied multiple times, approval workflows skipped by manipulating state, trial extensions by re-registering. Scanners cannot find these.</p> <p><strong>Fix:</strong> No generic fix exists. Each requires understanding the intended behavior and enforcing it server-side. This is why manual penetration testing exists.</p> <p>We offer a <strong>free 1-week penetration test</strong> for qualified B2B SaaS teams. Same methodology, same report quality as paid engagements. Zero cost, zero obligation.</p> <p><a href="https://provecore.com/free-trial" rel="noopener noreferrer">Apply for a free trial</a> | <a href="https://provecore.com/book" rel="noopener noreferrer">Book a scoping call</a></p> cybersecurity