1. Broken Object Level Authorization (BOLA/IDOR)
An authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. Multi-tenant SaaS applications share infrastructure across customers. If your API checks authentication but not authorization at the object level, one customer can read another customer's data by changing an ID.
We find this in direct object references in REST endpoints, GraphQL queries that accept tenant-crossing IDs, and batch endpoints that skip per-item authorization checks.
Fix: Implement object-level authorization in the data access layer. Verify that the requesting user's organization owns the requested resource before returning any data.
2. Broken Authentication — JWT Implementation Errors
Flaws in how JSON Web Tokens are created, validated, or managed. Common patterns: algorithm confusion (RS256 to HS256 downgrade), missing expiration validation, weak signing secrets, and tokens that survive logout.
JWTs are the dominant auth mechanism for SaaS APIs. A signing flaw means full authentication bypass — any user, any role, any tenant.
Fix: Explicitly specify the allowed algorithm. Never accept the algorithm from the token header. Enforce expiration. Use strong, rotated signing keys.
3. Mass Assignment
An API endpoint accepts request body fields that should not be user-controllable — like role, is_admin, or plan_tier. SaaS products with rich data models that auto-bind request bodies to model attributes are especially vulnerable.
We typically find user profile endpoints that accept role changes, subscription endpoints where plan_tier can be overwritten, and invitation endpoints where permissions can be injected.
Fix: Use explicit allowlists for every endpoint that accepts user input. Never auto-bind request bodies to database models without filtering.
4. Server-Side Request Forgery (SSRF)
An attacker causes your server to make HTTP requests to internal services or cloud metadata endpoints. Cloud-hosted SaaS applications run alongside metadata services, internal APIs, and microservices. Webhook delivery, file import, and URL preview features are common entry points.
Fix: Restrict outbound requests to permitted hosts. Block private IP ranges and cloud metadata endpoints at the network level.
5. Business Logic Flaws
Vulnerabilities unique to your product's business rules. Coupon codes applied multiple times, approval workflows skipped by manipulating state, trial extensions by re-registering. Scanners cannot find these.
Fix: No generic fix exists. Each requires understanding the intended behavior and enforcing it server-side. This is why manual penetration testing exists.
We offer a free 1-week penetration test for qualified B2B SaaS teams. Same methodology, same report quality as paid engagements. Zero cost, zero obligation.
Top comments (0)