Report a breach Log in
wehackitbeforetheydo.com
Book a scan →
Sample report

What you actually get.

A typical week ends with 8–15 findings. Below are three real-shape examples — anonymised from real engagements. Each one is one page in your PDF: severity, where it lives, what it means, how to reproduce it, how to close it.

CRITICAL api.example.com · /rest/v1/users

Authentication bypass via misconfigured Supabase RLS

Row-level security policy on the users table allowed any authenticated user to read every other user's record by changing one query parameter.

Impact

Read access to email addresses, phone numbers, and password reset tokens for all 12,400 active accounts. A malicious user could have used this to take over accounts at will.

How to reproduce
  1. Sign up as user A.
  2. Make a GET request to /rest/v1/users?id=neq.<your_id>.
  3. Observe full row data for every other user in the response.
Fix

Replace the policy `(true)` with `(auth.uid() = id)` on the users table. Add a regression test that asserts user A cannot read user B.

HIGH app.example.com · main.<hash>.js

Stripe restricted key in client bundle

A Stripe restricted-key (rk_live_...) was bundled into the public JavaScript file. With it, an attacker can list all customers and create new charges against your account.

Impact

Read access to customer list (names, emails, addresses). Ability to create charges. Roughly 8,200 customers exposed.

How to reproduce
  1. Open https://app.example.com.
  2. View source on the bundled JS at /static/main.4f8a.js.
  3. Search for "rk_live_". The key starts at line 1, column 482,144.
Fix

Rotate the key in Stripe Dashboard immediately (do this first, before deploying). Move all calls that need this key to a server-side function. Add a CI check that greps the build output for `(sk|rk)_live_`.

MEDIUM app.example.com · /support/thread

Stored XSS in support-message rendering

User-submitted support messages are rendered with React's dangerouslySetInnerHTML after only stripping <script> tags. Other HTML and event handlers are preserved.

Impact

An attacker who opens a support ticket can run JavaScript in any agent's browser when the agent views the thread. Session cookie is HttpOnly, but the agent's CSRF token is reachable from JS.

How to reproduce
  1. Open a support ticket.
  2. In the message body, paste: <img src=x onerror="alert(document.domain)">
  3. When an agent views the ticket, the alert fires.
Fix

Render user content with text only, or pass it through a strict sanitizer (we suggest DOMPurify with the default config). Treat any allowlisted HTML as a separate explicit feature.

Want the real PDF?

Drop your details and we'll send you a fully redacted sample report from a recent engagement.

We use it to send the PDF. Nothing else. See privacy.