# api.your-app.com — Pen Test Engagement
booking 2A4F · 2026-06-08 · 4h22m · Moderate effort
## Executive Summary
Status: 2 critical, 1 high, 3 medium — all reproducible.
Scope: 2 hosts, 47 endpoints. Out-of-scope items deferred and flagged for next engagement.
## Confirmed Exploits
1. JWT signature bypass (CRITICAL · CVSS 8.6)POST /v1/sessions/refresh — forged token with disabled signature verification, returned 200 OK with admin scope. Reproduction script included.
2. SSRF via OAuth consent redirect (HIGH · CVSS 7.4)
Open redirect on /oauth/authorize resolved arbitrary internal URLs. Reproduction included.
[ trimmed — full summary includes evidence and remediation per finding ]