Application Security ⁽²⁾

The Setup There's this SaaS product I’d been testing — let’s call it WorkspaceX. It’s a platform for managing coworking spaces: bookings, memberships, internal communication, the works. Pretty well put together. Each space gets its own subdomain, like: Admins can create membership plans with different…

During a recent pentest of a coworking space management application, our team had a really productive start. We quickly found some serious stuff: a critical IDOR that let us hijack other tenants' payment methods, and a stored XSS right in the admin dashboard. We also…