We found an average of 6 critical vulnerabilities in client applications in the very first month

Average of Vulnerabilities By Time

We are highlighting an average count of unique vulnerabilities found in applications.

Most Common Critical Vulnerabilities: (By Industry)

Tap one of the sectors below to see the most common critical vulnerability found in our clients’ application.

Placing Order at Zero Amount:

This is an amazingly common security flaw on e-commerce platforms. Exploiting inadequate security controls in the payment system allows the exploiter to buy at zero value – whatever the theoretical price.


Found on our customers applications

Two factor authentication bypass:

Two-Factor Authentication or 2FA has been a vital add-on to the security of banking and fin-tech industry. Since we began, we have successfully evaded more than 40+ types of 2FA and One-Time Password integrations. If we can exploit weak security practices, misconfigurations, and deficient controls, so can the fraudsters.

It gets worse. Where a One-Time Password is the only authentication factor, the authentication schema is totally compromised. It might just as well not be there.


Found on our customers applications

Customer Data Exposure via Insecure APIs:

Over and over again, we have found serious misconfigurations in our clients’ top-tier APIs. The result? Vulnerable access controls allowed access to sensitive user data including: Personal Identification Data; Medical Records; Contact Information; and Payment details. Not only could we access it – we could modify it! If we can get at (and change) your customer data, so can the crooks. Our solution: configure secure APIs.


Found on our customers applications

Privilege Escalation to Admin:

Privilege Escalation means that users can gain administration privileges to access data they shouldn’t be able to get near. Worse than that – they can change or remove the access privileges of others. This is right now the most rapidly escalating security vulnerability in all of SaaS.


Found on our customers applications

Insecure Direct Object Reference Leading to Data Exposure:

Organizations that provide white-labelled B2B technology rely on APIs to control features and define access control. Frighteningly, the commonest practice we’ve found is the insecure transmission of data using APIs that lack adequate controls. Ultimately, all customer information is compromised. That’s bad – and there’s worse. In a number of cases, it isn’t only end-user information that’s exposed – so is the whole service provider application.


Found on our customers applications

Privileged Access to Materials:

Edu-tech companies generally provide resources to users according to a pre-defined subscription plan or by trading specific e-books. In the majority of cases, we found legitimate endpoints that allowed access through IDOR (Insecure Direct Object References) or by by-passing restrictions. The result? We were able to access all resources without subscribing to any plan or purchasing any e-book.


Found on our customers applications

Accessing and Changing Routes of Delivery:

Most of our transportation clients are in the freight industry. In screening their applications, we repeatedly were able to access all delivery information and even manipulate the routes. Most delivery systems are automated, making it very difficult to restore manipulated routes, potentially increasing the cost of on-going shipments. Where consignments carry sensitive information meant to be confidential till it reaches its destination, a breach will usually be expensive and may (for example, in the case of pharmaceuticals) involve non-compliance with legal and regulatory requirements.


Found on our customers applications

Threat Scale







The above information was deduced using customer data analytics over a one year period, and combining the metrics with manual and automated assessments.
Neither automated methods nor manual inspection can on their own reveal all vulnerabilities. SecurityEscape’s security engineers use a combination of automation, manual inspection and (a crucial additional component) human creativity to examine every single endpoint and identify application-logic vulnerabilities.
Threat Score is SecurityEscape’s in-house scoring system to define the level of severity of any security vulnerability. Unlike CVSS (Common Vulnerability Scoring System), Threat Score also takes into account the application’s environment. Threat Score relies on three important factors:

  • Vulnerability
  • Affected Endpoint
  • Associated Risk

In automated assessments, the reported risk is based on the tags/keywords in response-data and the number of affected endpoints. CVSS is a broad approach developed to score multiple environments, while Threat Score is focused on a dedicated application environment where risks are clearly defined. 
Unlike others, we are focused solely on application security and do not follow any predefined check-list. We begin by analyzing your application with its specific business logic. Then we work intensively on assessing every endpoint to find any possible vulnerability or logical error capable of compromising user privacy or privileges. We help you fix open vulnerabilities and create a secure architecture all the way through the development process, analyzing the UX impact to ensure that user experience is at least maintained (and, ideally,improved).
For now, NO - We are working on this feature to introduce most probably in the upcoming year.