Security Assessment of an Internal HR and Payroll Management Application
A B2B HR and Payroll SaaS platform serving 350 SMB clients engaged us to assess the security of their core application. We identified critical privilege escalation allowing standard employees to access HR manager functions, a payroll approval workflow bypass, and plaintext Social Security Number logging in an environment processing live payroll data.
Confidential engagement. NDA available upon request.
78%
Vulnerability Reduction
0
Critical Remaining
0
High Remaining
350
SMB Clients Protected
About the Client
Industry
HR Tech
Company Size
20 to 40 employees, early growth stage
Background
A B2B SaaS platform providing HR management and payroll processing capabilities to approximately 350 small and medium-sized businesses. The platform processed sensitive employee data including SSNs, banking information, and salary records, making access control integrity and data protection critically important.
Security Challenges Identified
Standard Employees Could Access All HR Manager API Endpoints
Role enforcement relied on client-supplied request headers, allowing privilege escalation by modifying role parameters and exposing salary, PII, and HR records.
Social Security Numbers Logged in Plaintext
Debug logging recorded full Social Security Numbers in plaintext log files stored on the application server, creating a sensitive data exposure risk.
Payroll Approval Workflow Completely Bypassable
The two-step approval workflow could be bypassed by directly calling the payment execution endpoint without completing the approval chain.
Banking API Accepting Unvalidated Financial Data
Banking integration endpoints accepted malformed routing numbers without validation, creating potential for misdirected payroll transactions and financial fraud.
The Mission
Identify and remediate all access control, data handling, and business logic vulnerabilities in the HR and payroll platform, ensuring payroll integrity, protecting sensitive employee financial data, and enabling the client to pass enterprise security questionnaires from prospective large clients.
How We Approached It
01. Application Mapping & Role Model Review
Week 1- Burp Suite endpoint enumeration across all API surfaces
- Role and permission model documentation review
- Authentication flow and session management analysis
- Semgrep SAST scan for hardcoded secrets
02. Authentication & Authorization Testing
Week 1 to 2- Vertical privilege escalation testing via request header manipulation
- Horizontal IDOR testing across employee and client data
- API endpoint access testing from each role context
- JWT and session token analysis
03. Business Logic & Workflow Testing
Week 2 to 3- Payroll approval chain bypass testing via direct API calls
- Banking data validation and input fuzzing with Postman
- Multi-step workflow integrity testing
- Concurrent request and race condition testing on financial operations
04. Data Handling & Sensitive Data Review
Week 3- Application log analysis for sensitive data exposure
- API response content review for over-exposed financial data
- Database query and ORM analysis for sensitive field exposure
- TLS configuration and data-in-transit encryption review
05. Reporting & Developer Remediation
Week 4- Technical findings report with remediation guidance
- Access control architecture redesign recommendations
- Secure SDLC integration recommendations
- Enterprise security questionnaire posture summary
Vulnerabilities Discovered
1
CRITICAL
3
HIGH
2
MEDIUM
0
LOW
Vertical Privilege Escalation
Standard employee accounts could access HR manager API endpoints by modifying role parameters in request headers, exposing employee salary and personal data.
Standard employee accounts could access HR manager API endpoints by modifying role parameters in request headers, exposing employee salary and personal data.
Banking API Insufficient Input Validation
Banking integration endpoints accepted malformed routing numbers without validation, creating potential for misdirected payroll transactions.
Banking integration endpoints accepted malformed routing numbers without validation, creating potential for misdirected payroll transactions.
SSNs Logged in Plaintext
Debug logging recorded full Social Security Numbers in plaintext log files stored on the application server.
Debug logging recorded full Social Security Numbers in plaintext log files stored on the application server.
Payroll Approval Bypass
Payroll approval workflow could be bypassed by directly calling the payment execution endpoint without completing the approval chain.
Payroll approval workflow could be bypassed by directly calling the payment execution endpoint without completing the approval chain.
Sensitive Data in API Responses
Banking account numbers were returned in full within API responses where only partial display was required.
Banking account numbers were returned in full within API responses where only partial display was required.
Weak Password Policy
No minimum complexity requirements were enforced, permitting weak dictionary passwords on all account types.
No minimum complexity requirements were enforced, permitting weak dictionary passwords on all account types.
How We Fixed It
Access Control Remediation
Implemented server-side role validation using centralized authorization middleware and removed all client-influenced role parameters.
Banking API Validation
Implemented strict server-side validation for banking data inputs including routing number format verification before processing.
Log Sanitization
Implemented log scrubbing to mask SSNs and financial identifiers, and securely deleted historical logs containing sensitive data.
Approval Workflow Enforcement
Redesigned payroll execution flow to require server-side validation of completed approval status before processing payment requests.
Response Data Minimization
Updated API responses to return masked versions of sensitive financial data aligned with UI display requirements.
Password Policy Enforcement
Implemented minimum 12 character password requirements with complexity rules and compromised password detection.
Measurable Outcomes
The client incorporated secure SDLC recommendations into their roadmap and successfully completed the enterprise security questionnaire, advancing to contract negotiation with the prospective client.
78%
Total Vulnerability Reduction
95%
Data Exposure Risk Reduction
100%
Access Control Coverage
350
SMB Clients Protected
Critical Vulnerabilities
1
0
High Vulnerabilities
3
0
Medium Vulnerabilities
2
0
Total Findings
9
2 (informational)
Sensitive Data Exposure Risk
High
Low
Access Control Integrity
Unvalidated
Server-side enforced
Want to share this with your team or leadership?
Sharing a URL with your co-founder, CTO, or board does not always land the way it should. A polished PDF tells the same story in a format people actually open, read, and forward in Slack.
Download this case study as a branded PDF complete with key metrics, methodology, and outcomes and drop it straight into your next internal review, due diligence pack, or vendor evaluation deck.
Instant download · No sign-up required