Penetration Test Report

ALTCHA Sentinel API Security Assessment
Assessment DateMay 11, 2026
Report Generated2026-05-11T09:08:13.644Z
Prepared BySecurity Assessment Team
API VersionALTCHA Sentinel v1.28.0
Overall RiskLow

Table of Contents

  1. Executive Summary
  2. Risk Overview
  3. Findings Overview
  4. Detailed Findings
    1. Methodology
    2. Scope & Coverage

    1. Executive Summary

    A penetration test was conducted against the ALTCHA Sentinel REST API. The assessment covered OWASP API Security Top 10 (2023), authentication, authorization, injection, rate limiting, business logic, and transport security.

    The assessment identified 0 vulnerabilities. Overall risk: Low.

    Overall Risk Rating Low

    2. Risk Overview

    0
    Critical
    0
    High
    0
    Medium
    0
    Low
    0
    Info

    Findings by Category

    No vulnerabilities found.

    3. Findings Overview

    IDTitleCategorySeverityCVSSOWASP APIStatus
    INFO-001 Application configuration exposed without authentication Information Disclosure Low 3.7 OWASP API8:2023 NOT VULNERABLE
    INFO-002 Server version information disclosed in HTTP headers Information Disclosure Info OWASP API8:2023 NOT VULNERABLE
    HEAD-001 Missing security header: Strict-Transport-Security (HSTS) Security Headers Medium 4.3 OWASP API8:2023 NOT VULNERABLE
    HEAD-002 Missing security header: X-Content-Type-Options Security Headers Low 2.3 OWASP API8:2023 NOT VULNERABLE
    HEAD-003 Missing security header: X-Frame-Options Security Headers Medium 4.3 OWASP API8:2023 NOT VULNERABLE
    HEAD-004 Missing security header: Content-Security-Policy Security Headers Medium 5.3 OWASP API8:2023 NOT VULNERABLE
    HEAD-005 Missing security header: Referrer-Policy Security Headers Low 2.3 OWASP API8:2023 NOT VULNERABLE
    HEAD-007 Missing Cache-Control directives on authenticated endpoint Security Headers Low 2.3 OWASP API8:2023 NOT VULNERABLE
    ERR-001 Stack trace / exception details leaked in error responses Information Disclosure Medium 5.3 OWASP API3:2023 NOT VULNERABLE
    ERR-002 Database error messages disclosed in responses Information Disclosure High 7.5 OWASP API3:2023 NOT VULNERABLE
    ERR-003 Internal file paths disclosed in error responses Information Disclosure Low 3.7 OWASP API3:2023 NOT VULNERABLE
    ERR-004 Unhandled 5xx errors returned to clients Information Disclosure Low 2.3 OWASP API8:2023 NOT VULNERABLE
    TOKEN-001 JWT "alg:none" bypass accepted Authentication Critical 9.8 OWASP API2:2023 NOT VULNERABLE
    TOKEN-002 JWT HS256 downgrade with weak secret accepted Authentication Critical 9.1 OWASP API2:2023 NOT VULNERABLE
    TOKEN-003 Expired JWT accepted without rejection Authentication High 7.5 OWASP API2:2023 NOT VULNERABLE
    TOKEN-004 Malformed JWT causes 5xx server error Authentication Medium 5.3 OWASP API8:2023 NOT VULNERABLE
    TOKEN-005 API key reflected in response body Authentication Medium 4.3 OWASP API3:2023 NOT VULNERABLE
    BOLA-001 Cross-account resource access (BOLA) — GET /v1/accounts/{id} Authorization High 8.1 OWASP API1:2023 NOT VULNERABLE
    BOLA-002 Cross-account resource modification (BOLA) — PATCH /v1/accounts/{id} Authorization Critical 9.1 OWASP API1:2023 NOT VULNERABLE
    BOLA-003 Predictable resource IDs — sequential/simple ID enumeration Authorization Medium 6.5 OWASP API1:2023 NOT VULNERABLE
    PRIVESC-001 Vertical privilege escalation via mass assignment (PATCH /v1/users) Authorization Critical 9.8 OWASP API3:2023 NOT VULNERABLE
    PRIVESC-002 JWT claims tampering — signature not re-verified after modification Authorization Critical 9.8 OWASP API2:2023 NOT VULNERABLE
    PRIVESC-003 Mass assignment of privileged boolean flags (active, default) Authorization Medium 6.5 OWASP API3:2023 NOT VULNERABLE
    FUNCAUTH-001 Admin endpoints accessible without authentication Authorization Critical 9.8 OWASP API5:2023 NOT VULNERABLE
    FUNCAUTH-002 Admin endpoints accessible with user-level API key Authorization Critical 9.1 OWASP API5:2023 NOT VULNERABLE
    FUNCAUTH-003 Management endpoints (users, logs, API keys) accessible without authentication Authorization Critical 9.1 OWASP API5:2023 NOT VULNERABLE
    FUNCAUTH-004 Environment variable read/write (/v1/admin/env) — unauthenticated access Authorization Critical 10.0 OWASP API5:2023 NOT VULNERABLE
    INJECT-001 SQL / NoSQL injection in search endpoints Injection Critical 9.8 OWASP API8:2023 NOT VULNERABLE
    INJECT-002 NoSQL operator injection ($gt, $ne, $regex) in query fields Injection High 8.1 OWASP API8:2023 NOT VULNERABLE
    INJECT-003 Blind timing-based SQL/NoSQL injection Injection Critical 9.0 OWASP API8:2023 NOT VULNERABLE
    XSS-001 Reflected XSS via query parameters in admin list endpoints Injection High 7.2 OWASP API8:2023 NOT VULNERABLE
    CHALLENGE-001 ALTCHA PoW challenge bypass — degenerate solution values Business Logic High 7.5 OWASP API6:2023 NOT VULNERABLE
    CHALLENGE-002 ALTCHA challenge replay — nonce reuse not detected Business Logic High 7.5 OWASP API6:2023 NOT VULNERABLE
    MASS-001 Mass assignment of privileged fields via PATCH /v1/users/{id} Business Logic Critical 9.8 OWASP API3:2023 NOT VULNERABLE
    MASS-002 Mass assignment on API key creation (POST /v1/api-keys) Business Logic High 7.5 OWASP API3:2023 NOT VULNERABLE
    CORS-001 CORS wildcard with credentials (Access-Control-Allow-Credentials: true) CORS High 8.1 OWASP API7:2023 NOT VULNERABLE
    CORS-002 CORS reflected Origin — arbitrary origin accepted with credentials CORS High 8.1 OWASP API7:2023 NOT VULNERABLE
    CORS-003 CORS null origin accepted with credentials CORS High 7.4 OWASP API7:2023 NOT VULNERABLE
    CORS-004 CORS preflight allows untrusted origin / dangerous methods CORS Medium 3.1 OWASP API7:2023 NOT VULNERABLE
    AUTH-001 Login endpoint rate limiting Authentication High 7.5 OWASP API4:2023 NOT VULNERABLE
    AUTH-002 Challenge generation endpoint rate limiting Authentication Medium 5.3 OWASP API4:2023 NOT VULNERABLE
    AUTH-003 OTP / 2FA endpoint rate limiting Authentication High 6.5 OWASP API4:2023 NOT VULNERABLE
    AUTH-004 Username enumeration via login response differences Authentication Medium 5.3 OWASP API3:2023 NOT VULNERABLE
    RATE-001 Brute-force rate limiting on login endpoint (POST /v1/auth/login) Rate Limiting High 7.5 OWASP API4:2023 NOT VULNERABLE
    RATE-002 Challenge endpoint rate limiting (GET /v1/auth/challenge) Rate Limiting Medium 5.3 OWASP API4:2023 NOT VULNERABLE
    RATE-003 OTP verification rate limiting (POST /v1/auth/login/otp) Rate Limiting High 7.5 OWASP API4:2023 NOT VULNERABLE

    4. Detailed Findings

    Passed Checks

    IDTitleCategorySeverity
    INFO-001 Application configuration exposed without authentication Information Disclosure Low
    INFO-002 Server version information disclosed in HTTP headers Information Disclosure Info
    HEAD-001 Missing security header: Strict-Transport-Security (HSTS) Security Headers Medium
    HEAD-002 Missing security header: X-Content-Type-Options Security Headers Low
    HEAD-003 Missing security header: X-Frame-Options Security Headers Medium
    HEAD-004 Missing security header: Content-Security-Policy Security Headers Medium
    HEAD-005 Missing security header: Referrer-Policy Security Headers Low
    HEAD-007 Missing Cache-Control directives on authenticated endpoint Security Headers Low
    ERR-001 Stack trace / exception details leaked in error responses Information Disclosure Medium
    ERR-002 Database error messages disclosed in responses Information Disclosure High
    ERR-003 Internal file paths disclosed in error responses Information Disclosure Low
    ERR-004 Unhandled 5xx errors returned to clients Information Disclosure Low
    TOKEN-001 JWT "alg:none" bypass accepted Authentication Critical
    TOKEN-002 JWT HS256 downgrade with weak secret accepted Authentication Critical
    TOKEN-003 Expired JWT accepted without rejection Authentication High
    TOKEN-004 Malformed JWT causes 5xx server error Authentication Medium
    TOKEN-005 API key reflected in response body Authentication Medium
    BOLA-001 Cross-account resource access (BOLA) — GET /v1/accounts/{id} Authorization High
    BOLA-002 Cross-account resource modification (BOLA) — PATCH /v1/accounts/{id} Authorization Critical
    BOLA-003 Predictable resource IDs — sequential/simple ID enumeration Authorization Medium
    PRIVESC-001 Vertical privilege escalation via mass assignment (PATCH /v1/users) Authorization Critical
    PRIVESC-002 JWT claims tampering — signature not re-verified after modification Authorization Critical
    PRIVESC-003 Mass assignment of privileged boolean flags (active, default) Authorization Medium
    FUNCAUTH-001 Admin endpoints accessible without authentication Authorization Critical
    FUNCAUTH-002 Admin endpoints accessible with user-level API key Authorization Critical
    FUNCAUTH-003 Management endpoints (users, logs, API keys) accessible without authentication Authorization Critical
    FUNCAUTH-004 Environment variable read/write (/v1/admin/env) — unauthenticated access Authorization Critical
    INJECT-001 SQL / NoSQL injection in search endpoints Injection Critical
    INJECT-002 NoSQL operator injection ($gt, $ne, $regex) in query fields Injection High
    INJECT-003 Blind timing-based SQL/NoSQL injection Injection Critical
    XSS-001 Reflected XSS via query parameters in admin list endpoints Injection High
    CHALLENGE-001 ALTCHA PoW challenge bypass — degenerate solution values Business Logic High
    CHALLENGE-002 ALTCHA challenge replay — nonce reuse not detected Business Logic High
    MASS-001 Mass assignment of privileged fields via PATCH /v1/users/{id} Business Logic Critical
    MASS-002 Mass assignment on API key creation (POST /v1/api-keys) Business Logic High
    CORS-001 CORS wildcard with credentials (Access-Control-Allow-Credentials: true) CORS High
    CORS-002 CORS reflected Origin — arbitrary origin accepted with credentials CORS High
    CORS-003 CORS null origin accepted with credentials CORS High
    CORS-004 CORS preflight allows untrusted origin / dangerous methods CORS Medium
    AUTH-001 Login endpoint rate limiting Authentication High
    AUTH-002 Challenge generation endpoint rate limiting Authentication Medium
    AUTH-003 OTP / 2FA endpoint rate limiting Authentication High
    AUTH-004 Username enumeration via login response differences Authentication Medium
    RATE-001 Brute-force rate limiting on login endpoint (POST /v1/auth/login) Rate Limiting High
    RATE-002 Challenge endpoint rate limiting (GET /v1/auth/challenge) Rate Limiting Medium
    RATE-003 OTP verification rate limiting (POST /v1/auth/login/otp) Rate Limiting High

    5. Methodology

    Assessment followed OWASP API Security Top 10 (2023), OWASP WSTG, CVSS v3.1, and CWE standards.

    PhaseScopeTechnique
    Information DisclosurePublic endpoints, HTTP headers, error messagesUnauthenticated probes, malformed inputs
    AuthenticationLogin, tokenBrute-force simulation, token manipulation
    AuthorizationAll authenticated endpointsBOLA/IDOR, privilege escalation, function-level auth
    InjectionAll input fieldsSQL, NoSQL, XSS, SSTI payloads
    Rate LimitingPublic and authenticated endpointsBurst request testing
    Business LogicChallenge, classifier, threat APIsReplay, mass assignment, bypass attempts
    Transport SecurityCORS, HTTP headersOrigin spoofing, header analysis

    6. Scope & Coverage

    Test ModuleChecksVulnerablePassedSkipped
    01-information-disclosure/app-config 2 0 2 0
    01-information-disclosure/security-headers 6 0 6 0
    01-information-disclosure/error-disclosure 4 0 4 0
    02-authentication/token-security 5 0 5 0
    03-authorization/bola-idor 3 0 3 0
    03-authorization/privilege-escalation 3 0 3 0
    03-authorization/function-level-auth 4 0 4 0
    04-injection/sql-nosql 3 0 3 0
    04-injection/xss 1 0 1 0
    06-business-logic/challenge-bypass 2 0 2 0
    06-business-logic/mass-assignment 2 0 2 0
    07-cors/cors 4 0 4 0
    02-authentication/brute-force 4 0 4 0
    05-rate-limiting/rate-limiting 3 0 3 0