2023 Ultimay Security Assessment

Application Penetration Testing & Remediation Guidance for a SaaS Platform

Category: B2B SaaS (Project & Client Management for Marketing/Software Agencies)
Stack: Debian, Apache, PHP (Laravel), JavaScript (Angular), Python Microservices

I was brought in by the Ultimay engineering leadership to perform a targeted security assessment of their flagship SaaS platform, which supports project management workflows across multiple roles—Owner, Manager, Developer, and Customer.

🎯 Scope of Engagement:
Full-scope authenticated web application pentest

Coverage of multi-role permission testing and custom file handling logic

Direct collaboration with the internal development team to review security architecture and advise on remediation

Bonus input into feature architecture for safer future implementations

🛠️ Tools & Methodology:
I performed a thorough black-box and authenticated assessment using:

nmap for port and service enumeration

OpenVAS for infrastructure-level vulnerability scanning

Burp Suite for proxy-based web testing and XSS/IDOR exploitation

Nikto and Dirb for directory traversal and server misconfiguration discovery

Custom multi-user testing scripts to simulate role-based access control abuse scenarios

🚨 Key Findings:
I discovered multiple high-impact vulnerabilities, including:

Stored Cross-Site Scripting (XSS) across project notes and comment interfaces, allowing persistent JavaScript injection and potential session hijacking via stolen cookies

Insecure Direct Object References (IDORs) enabling cross-account access to documents, client notes, and internal timelines by manipulating resource identifiers

Remote Code Execution (RCE) via a race condition in the file upload and zip handler, where a malicious PHP payload could be temporarily executed before sanitation logic was applied

🤝 Outcome:
I worked hands-on with the internal engineering team to:

Reproduce and patch all identified issues with proper input validation, session scoping, and secure file handling

Build unit tests and regression logic to prevent future reintroduction of similar bugs

Advise on secure-by-design principles for upcoming features in their roadmap

This engagement demonstrated my ability to combine deep application security knowledge with collaborative engineering processes, ensuring that Ultimay could ship safer code with confidence.