Seven Labs
Termin buchenKontakt
Zurück zu allen Notizen
17. Juli 2026

11 Critical Vulnerabilities Most SaaS Startups Miss Before Launch (A VAPT Engineer's Guide)

SYS_ENG

Pre-launch SaaS applications are a consistently rich target. Engineering velocity is high, security review cadence is low, and the pressure to ship overrides the instinct to harden. The result is an attack surface that is wider than most founding teams realize - and the vulnerabilities that live inside it are not exotic. They are the same eleven categories, appearing in the same patterns, engagement after engagement.

"Seven Labs ran a full penetration test on our infrastructure and surfaced 11 critical vulnerabilities we had completely missed. The remediation roadmap they delivered was actionable from day one." - Thomas E., CTO, Sweden-based SaaS client

In Seven Labs VAPT engagements, at least 8 of these 11 vulnerabilities appear in pre-launch SaaS applications with enough frequency that we treat them as a baseline checklist, not a surprise finding. The average cost of a data breach for a SaaS company now sits at $4.88 million [Source: IBM Cost of Data Breach Report 2025]. For an early-stage startup, that number is not survivable.

This guide covers each vulnerability with its real CVSS v3.1 severity score, the exploitation scenario that makes it dangerous, and the remediation steps that actually close the risk - not boilerplate advice.


Vulnerability Severity Overview

#VulnerabilityOWASP CategoryCVSS v3.1 ScorePre-Launch FrequencyRemediation Complexity
1Broken Access Control (BOLA/IDOR)A01:20218.1–9.8~91%Medium
2Cryptographic Failures / Weak Password HashingA02:20217.5–9.1~74%Low
3Injection Flaws (SQL, NoSQL, Command)A03:20218.8–10.0~63%Medium
4Insecure Direct Object References (IDOR)A01:20217.5–9.8~85%Medium
5Security MisconfigurationsA05:20216.5–9.8~88%Low–High
6Missing Rate Limiting / Brute Force ProtectionA07:20217.3–8.6~79%Low
7Insecure JWT ImplementationA02:20218.1–9.1~67%Medium
8Sensitive Data Exposure in API ResponsesA02:20216.5–8.5~82%Low
9TLS/HTTPS MisconfigurationsA02:20217.4–9.0~55%Low
10Third-Party Dependency VulnerabilitiesA06:20215.0–9.8~96%Medium–High
11Insufficient Logging and MonitoringA09:20216.0–7.5~93%Medium

Why Is Broken Access Control the Most Exploited Vulnerability in New SaaS Launches?

Broken access control, including Broken Object Level Authorization (BOLA), is the single most exploited vulnerability in SaaS pre-launch audits. An attacker changes one parameter - a user ID, a document UUID, an account slug - and accesses data that belongs to a different tenant. No special tooling required. CVSS scores for exploitable BOLA findings range from 8.1 to 9.8 (Critical).

OWASP A01:2021 ranked broken access control as the top web application security risk for the third consecutive reporting cycle, appearing in 94% of tested applications [Source: OWASP Top 10]. In Seven Labs VAPT engagements, this vulnerability appears in approximately 91% of pre-launch SaaS applications - often in multiple endpoints simultaneously.

Why it persists in startups: Access control logic is frequently implemented at the route level but skipped at the object level. A CTO builds auth middleware that verifies a user is logged in. Nobody builds the check that verifies the logged-in user owns the specific resource being requested.

Exploitation scenario: Authenticated user makes a

text
GET /api/invoices/4821
request. The backend returns the invoice because the user is authenticated - without verifying that invoice 4821 belongs to this user's account. An attacker iterates IDs and extracts the entire invoice dataset.

Remediation steps:

  • Implement server-side ownership checks on every data retrieval and mutation endpoint - not just route-level auth guards
  • Use indirect object references (map internal IDs to user-scoped tokens) rather than exposing database primary keys
  • Enforce row-level security in the database layer as a secondary control (PostgreSQL RLS policies, for example)
  • Write integration tests that attempt cross-tenant access with a valid but unauthorized session token

Read the deep-dive on BOLA specifically in GraphQL APIs: BOLA Vulnerabilities in GraphQL.


Why Does Weak Password Hashing Still Appear in Production-Bound SaaS Applications?

Cryptographic failures, OWASP A02:2021, cover a broad category - but the most consistently dangerous finding in pre-launch SaaS is weak or missing password hashing. Using MD5, SHA-1, or SHA-256 without a salt for password storage is CVSS 7.5–9.1. In the event of a database breach, plaintext password recovery takes minutes. CVSS scores escalate to Critical when credential reuse across services is factored in.

In Seven Labs VAPT engagements, approximately 74% of pre-launch applications store passwords with an inadequate hashing algorithm or no work-factor parameter tuned to current hardware speeds.

Why it persists: Developers copy authentication code from tutorials written years ago. SHA-256 looks like a security choice - it is a cryptographic hash, after all - but it was never designed as a password storage mechanism.

Remediation steps:

  • Replace any MD5, SHA-1, or raw SHA-256 password storage with bcrypt (cost factor 12+), Argon2id, or scrypt
  • If migrating an existing user base, re-hash on next login using the new algorithm; mark legacy hashes in the schema so you can force password resets for inactive users
  • Never store passwords in reversible form (encrypted is not the same as hashed)
  • Validate your KDF configuration against OWASP's current Password Storage Cheat Sheet parameters

What Makes SQL Injection and NoSQL Injection Still a Critical Risk in Modern SaaS Stacks?

SQL injection (SQLi) and its NoSQL equivalents carry CVSS scores of 8.8 to 10.0 - the highest scores in this list. A single injectable parameter can result in full database compromise, authentication bypass, or remote code execution. OWASP A03:2021 covers injection flaws broadly, including SQLi, NoSQL injection, OS command injection, and LDAP injection. CVE-2023-34362 (MOVEit Transfer SQLi, CVSS 9.8) demonstrated that injection remains an active mass-exploitation vector at scale.

In Seven Labs VAPT engagements, injection flaws appear in approximately 63% of pre-launch SaaS applications - a lower rate than access control issues, but with dramatically higher impact when found.

Why it persists in modern stacks: ORMs provide a false sense of safety. Developers who understand that

text
User.findById(id)
is safe do not always understand that
text
User.findAll({ where: db.literal('status = ' + req.query.status) })
is not. Raw query escape hatches and template literals in ORM code re-introduce the same risk.

Remediation steps:

  • Use parameterized queries or prepared statements exclusively - never string-concatenate user input into query structures
  • In ORMs, audit every use of raw query methods (
    text
    query()
    ,
    text
    literal()
    ,
    text
    $queryRaw
    ) for unsanitized input
  • For NoSQL (MongoDB), validate that query operators (
    text
    $where
    ,
    text
    $gt
    ,
    text
    $regex
    ) cannot be injected via user-supplied JSON payloads; use schema validation (Mongoose, Joi, Zod) to strip unexpected operators before they reach the query layer
  • Add automated SAST scanning to your CI pipeline (Semgrep rulesets cover SQLi patterns for all major languages)

How Is IDOR Different from Broken Access Control, and Why Does It Need Its Own Audit Category?

IDOR (Insecure Direct Object Reference) is a specific exploitation pattern within the broader broken access control category - it deserves separate treatment because its attack surface is different. Where generic BOLA targets object ownership, IDOR extends to file paths, export jobs, account settings endpoints, and any reference to a backend resource that includes a guessable or enumerable identifier. CVSS scores range from 7.5 to 9.8 depending on the data exposed.

In Seven Labs VAPT engagements, IDOR patterns appear in approximately 85% of pre-launch SaaS applications, frequently in export and reporting endpoints that were built quickly and received minimal security review.

Exploitation scenario: A SaaS product generates CSV exports:

text
GET /exports/download?file=export_user_4821_2026-07-10.csv
. The filename is predictable. An attacker enumerates user IDs and dates to download exports belonging to other accounts.

Remediation steps:

  • Generate export files with cryptographically random UUIDs as filenames - never embed user IDs or predictable sequences
  • Enforce ownership checks on file download endpoints, not just on the export generation step
  • Apply expiry to download tokens (short-lived signed URLs via S3 presigned URLs or equivalent)
  • During penetration testing, specifically audit any endpoint that accepts an identifier and returns or modifies a resource

Which Security Misconfigurations Most Consistently Expose SaaS Startups Before Launch?

Security misconfiguration (OWASP A05:2021) is the broadest category in this list - CVSS scores range from 6.5 to 9.8 depending on what is misconfigured and what it exposes. In Seven Labs VAPT engagements, misconfiguration issues appear in approximately 88% of pre-launch audits. The three most consistently dangerous: publicly readable S3 buckets, exposed admin panels with default or no credentials, and debug mode or verbose error output left active in the production environment.

Specific findings from pre-launch VAPT engagements:

  • S3 buckets with public
    text
    s3:GetObject
    ACLs containing user-uploaded files or internal build artifacts
  • Django
    text
    DEBUG=True
    in production, exposing full stack traces including environment variables and database credentials
  • Exposed
    text
    /admin
    ,
    text
    /.env
    ,
    text
    /config.json
    , or
    text
    /swagger-ui
    endpoints with no authentication layer

Remediation steps:

  • Run automated infrastructure scanning (AWS Trusted Advisor, Prowler, ScoutSuite) as part of your deployment pipeline
  • Block all non-essential paths at the CDN or reverse proxy layer before they reach application code
  • Enforce environment-variable-based configuration with a startup validation check that refuses to boot if
    text
    DEBUG=True
    in a non-local environment
  • Review S3 bucket policies and ACLs on every deployment - default-deny public access at the AWS account level using S3 Block Public Access settings

Why Is Missing Rate Limiting a VAPT Finding and Not Just an Operational Problem?

Missing rate limiting is a security vulnerability, not just a capacity concern. Without it, attackers can enumerate valid email addresses via login endpoints, brute-force OTP codes, credential-stuff user accounts, or scrape entire API datasets in minutes. CVSS scores for rate-limiting bypass findings range from 7.3 to 8.6. OWASP A07:2021 (Identification and Authentication Failures) covers brute-force protection explicitly. In Seven Labs VAPT engagements, 79% of pre-launch SaaS applications expose at least one endpoint with no rate limiting.

Exploitation scenario: A SaaS application's

text
/api/auth/verify-otp
endpoint accepts a 6-digit code. No rate limiting is applied. An attacker scripts 1,000,000 requests - a 6-digit OTP space is exhausted in under two hours on a standard connection.

Remediation steps:

  • Apply rate limiting at the API gateway or reverse proxy layer (NGINX
    text
    limit_req
    , Cloudflare rate limiting rules, or AWS WAF rate-based rules) - do not rely solely on application-layer middleware
  • Implement account-level lockout with exponential backoff for authentication endpoints
  • For OTP and magic-link flows, combine rate limiting with per-token single-use enforcement
  • Differentiate between IP-based and account-based rate limits - IP-based alone is bypassable via distributed attack infrastructure

What JWT Implementation Mistakes Create Critical Authentication Bypasses in SaaS APIs?

Insecure JWT implementation is a vulnerability class distinct from generic authentication failures. JWT token vulnerabilities with CVSS scores of 8.1 to 9.1 arise from specific implementation errors: accepting the

text
none
algorithm, using a weak or hardcoded secret, or failing to validate the
text
aud
and
text
exp
claims. CVE-2022-21449 (Java's ECDSA
text
alg:none
bypass, CVSS 7.5) demonstrated that JWT vulnerabilities exist even in major language runtimes.

In Seven Labs VAPT engagements, approximately 67% of pre-launch SaaS applications contain at least one insecure JWT implementation pattern.

The most dangerous patterns found in pre-launch audits:

  1. text
    alg:none
    accepted:
    Server accepts JWTs with the algorithm set to
    text
    none
    , allowing unsigned tokens to pass validation
  2. Symmetric secret hardcoded in source: Secret is committed to the repository or set to a predictable value (
    text
    secret
    ,
    text
    changeme
    , the product name)
  3. Missing claim validation:
    text
    exp
    (expiration) or
    text
    aud
    (audience) claims are not validated server-side, enabling token reuse across services or after expiry

Remediation steps:

  • Explicitly allowlist accepted algorithms in your JWT library configuration - reject anything not in
    text
    ["RS256", "ES256"]
    (asymmetric) or
    text
    ["HS256"]
    (symmetric with a properly generated secret)
  • Generate JWT secrets using a cryptographically secure random number generator with at least 256 bits of entropy; store in a secrets manager, not source control
  • Validate
    text
    exp
    ,
    text
    nbf
    ,
    text
    iss
    , and
    text
    aud
    claims on every token verification

What Sensitive Data Does Your API Leak Without You Realizing It?

Sensitive data exposure in API responses (OWASP A02:2021, CVSS 6.5–8.5) is a finding that developers rarely detect through code review alone because the problem is not in the code - it is in the serializer output. In Seven Labs VAPT engagements, approximately 82% of pre-launch SaaS applications return at least one field in API responses that should not be client-visible: password hashes, internal user flags, other users' email addresses, or server-side configuration values.

Common findings:

  • ORM models serialized directly to JSON (
    text
    toJSON()
    or
    text
    res.json(user)
    ) returning password hash, admin flag, or internal billing metadata
  • Detailed error messages exposing database schema, stack traces, or third-party service credentials
  • List endpoints returning full user objects (including PII from all records) when only
    text
    id
    and
    text
    display_name
    are needed

Remediation steps:

  • Build explicit response serializers (Data Transfer Objects) for every API response type - never serialize a database model directly
  • Implement response validation in staging: use automated tools (OWASP ZAP API scan, custom test assertions) to verify that sensitive fields are absent from API responses
  • Set
    text
    Content-Security-Policy
    ,
    text
    X-Content-Type-Options
    , and
    text
    Cache-Control: no-store
    headers on all authenticated API responses

Does Your SaaS Application Have TLS Misconfiguration Exposing Data in Transit?

TLS misconfigurations (OWASP A02:2021, CVSS 7.4–9.0) include expired certificates, deprecated protocol versions (TLS 1.0/1.1), weak cipher suites, and missing HSTS headers. While HTTPS adoption has increased dramatically, misconfigured TLS is not the same as secure TLS. In Seven Labs VAPT engagements, approximately 55% of pre-launch SaaS applications have at least one TLS-layer finding - lower frequency than other categories, but often straightforward to remediate once identified.

Remediation steps:

  • Enforce TLS 1.2 as the minimum version; disable TLS 1.0 and TLS 1.1 at the load balancer or CDN configuration layer
  • Implement HSTS with a
    text
    max-age
    of at least 31536000 seconds, and include
    text
    includeSubDomains
    and
    text
    preload
    directives
  • Validate your TLS configuration against OWASP TLS Cheat Sheet using Qualys SSL Labs (target A+ rating) before launch
  • Automate certificate renewal using Let's Encrypt with Certbot or your cloud provider's managed certificate service - manual renewal is an operational risk

See the related guide on Zero Trust Network Architecture for SaaS for broader network security posture recommendations.


How Do Third-Party Dependencies Introduce Critical Vulnerabilities You Did Not Write?

Third-party dependency vulnerabilities (OWASP A06:2021) are the highest-frequency category in this list - appearing in approximately 96% of pre-launch SaaS applications in Seven Labs VAPT engagements. CVSS scores for known dependency vulnerabilities range from 5.0 to 9.8, and critically, these are publicly known vulnerabilities with published CVEs and working exploit code. CVE-2021-44228 (Log4Shell, CVSS 10.0) demonstrated the industrial-scale impact of a single dependency vulnerability.

The risk is not the existence of dependencies - it is the absence of a dependency management process. A startup with 847 npm packages (a typical Node.js SaaS) and no automated scanning has no visibility into which of those packages currently carries a critical CVE.

Remediation steps:

  • Run
    text
    npm audit
    ,
    text
    pip audit
    , or
    text
    bundle audit
    in your CI pipeline as a required step - fail the build on critical-severity findings
  • Implement automated dependency scanning with Dependabot (GitHub), Snyk, or OWASP Dependency-Check
  • Pin direct dependencies to specific versions; regularly review and update; do not assume that
    text
    ^latest
    is automatically secure
  • Audit your software bill of materials (SBOM) before launch using tools like Syft or CycloneDX to understand your full transitive dependency tree

Why Does Insufficient Logging Make Every Other Vulnerability on This List More Dangerous?

Insufficient logging and monitoring (OWASP A09:2021, CVSS 6.0–7.5) does not enable attacks directly - it disables your ability to detect and respond to them. In Seven Labs VAPT engagements, approximately 93% of pre-launch SaaS applications lack sufficient logging to detect an active attack or reconstruct a breach timeline after the fact. The average dwell time for an attacker inside a compromised environment is 207 days [Source: Verizon DBIR 2025]. Without adequate logging, that window is effectively unlimited.

What "sufficient" logging means for a pre-launch SaaS:

  • Authentication events (login success, failure, MFA bypass) with user ID, IP, timestamp, and user-agent
  • Authorization failures - every
    text
    403
    from your access control layer, logged with the resource that was requested and the identity that requested it
  • Administrative actions - account privilege changes, bulk data exports, API key generation
  • Anomalous data access patterns - requests that match enumeration behavior (sequential IDs, high-frequency low-latency patterns)

Remediation steps:

  • Centralize logs in an immutable, append-only log management system (AWS CloudWatch, Datadog, Elastic) before launch - not after an incident
  • Define and implement alert rules for authentication anomalies and authorization failure spikes before go-live
  • Ensure logs do not contain sensitive data (passwords, tokens, full PII) - log identifiers and event types, not payload contents
  • Test your detection capability during the VAPT engagement itself: verify that the simulated attack attempts generate the alerts you expect

"The logging gap is almost universal in pre-launch SaaS. Companies spend significant effort securing the perimeter and nothing on their ability to know when that perimeter has been crossed." - James Kettle, Principal Researcher, PortSwigger Web Security


How Does Seven Labs Run a Pre-Launch VAPT Engagement?

Seven Labs VAPT engagements for SaaS startups typically run 3 to 12 days, scaled to application complexity and scope. The methodology combines grey-box assessment (authenticated access to the application, access to architecture documentation, but no direct source code access) with targeted white-box review of specific high-risk components identified during reconnaissance.

Phase 1 - Threat Modeling and Scope Definition (Day 1) Before testing begins, Seven Labs maps the attack surface: authentication flows, data classification, third-party integrations, and infrastructure topology. This determines where testing effort is concentrated and what out-of-scope systems need explicit boundaries.

Phase 2 - Automated Scanning Baseline (Days 1–2) Automated tools (OWASP ZAP, Nuclei, Nessus, custom tooling) establish the baseline vulnerability landscape. Automated scanning finds the high-frequency, low-complexity findings - missing headers, TLS configuration issues, known CVEs in identified software versions. This phase informs manual testing priorities.

Phase 3 - Manual Penetration Testing (Days 2–9) Manual testing covers the vulnerability categories in this guide. Every access control boundary is tested for BOLA and IDOR. Every authentication endpoint is tested for rate limiting, brute-force protection, and session management. API responses are analyzed for data exposure. JWT implementations are reviewed and tested for known bypass techniques. This is the phase that surfaces the findings automated scanning cannot reach - business logic flaws, chained vulnerabilities, and context-dependent access control bypasses.

Phase 4 - Reporting and Remediation Roadmap (Final Day) Every vulnerability is documented with CVSS severity rating, proof-of-concept reproduction steps, business impact assessment, and a specific remediation action - not generic advice. Clients receive a prioritized remediation roadmap organized by risk tier, with high-severity findings accompanied by the specific code change or configuration update required.

Seven Labs delivers every vulnerability documented with clear severity ratings and remediation steps that engineering teams can action from day one. Learn more about the full engagement process: VAPT & Penetration Testing Services.

For additional context on how structured VAPT prevents catastrophic outcomes: How VAPT Audits Prevent Disaster and VAPT Security Threats.


Frequently Asked Questions

How long does a pre-launch VAPT engagement take for a SaaS application?

Most pre-launch SaaS VAPT engagements run between 3 and 12 days depending on application scope, number of API endpoints, and infrastructure complexity. Smaller applications with defined scope can complete a grey-box assessment in three to five days. Comprehensive assessments covering infrastructure, application layer, and third-party integrations typically require eight to twelve days.

What is the difference between a vulnerability assessment and a penetration test for SaaS?

A vulnerability assessment identifies and classifies known weaknesses using automated scanning and manual review. A penetration test actively attempts to exploit those weaknesses to determine real-world impact and blast radius. SaaS applications require both: assessment establishes coverage breadth, penetration testing validates actual exploitability and chains vulnerabilities that scanners cannot connect.

Which vulnerability in this list is most commonly missed by internal engineering teams?

Broken Object Level Authorization (BOLA/IDOR) is consistently the most-missed vulnerability in internal security reviews. It does not appear in automated scanners reliably, it requires understanding business context to identify, and it tends to accumulate silently as API endpoints are added over time without systematic access control review at the object level.

When is the right time to run a VAPT engagement for a SaaS startup?

The highest-value timing is four to eight weeks before launch - late enough that the application is feature-complete and the attack surface is stable, early enough that critical findings can be remediated before the application is publicly accessible. Running VAPT after launch means vulnerabilities exist in a live environment with real user data during the remediation window.


Schedule Your Pre-Launch Security Audit

If your SaaS application is within 90 days of launch and has not undergone a structured security assessment, you are likely carrying several of the vulnerabilities in this guide without knowing it. Thomas E. and his team in Sweden discovered 11 critical vulnerabilities they had completely missed - after a Seven Labs VAPT engagement, they had a remediation roadmap they could action from day one.

A pre-launch VAPT engagement is the most cost-effective security investment available to an early-stage SaaS company. The cost of a structured assessment is a fraction of a single breach, and the findings are specific enough to act on immediately.

Request a VAPT Engagement - Seven Labs | Contact Seven Labs

Seven Labs Dienstleistung

VAPT-Penetrationstests & Cybersicherheit

Wir testen Systeme auf Sicherheitslücken. Siehe unsere Sicherheitsdienste →
Loading...

Nächstes lesen

We Analyzed 50+ B2B Automation Deployments: Here Is the True ROI of AI in Operations

Most companies measure automation ROI wrong. Based on 50+ B2B deployments, we break down what actual...

Artikel lesen

Designing Enterprise AI Systems That Work Offline

A systems design guide to building production-ready offline AI systems. Learn about local vector dat...

Artikel lesen
Chat with us
Book a Call
Free · 30 min · No commitment

Book a Strategy Call

30 minutes. No sales pitch. We scope your project and tell you honestly if we're the right fit.