Contact Me
Back to Case Studies

Case Study 02 — Security Engineering

Web Application Security Audit & Hardening

End-to-end security assessment, penetration testing, and implementation of security enhancements across web applications — covering vulnerability discovery, remediation, and endpoint protection.

Author: Razan Sarraf
Web Application Security Audit & Hardening — case study project by Razan Sarraf, Full-Stack Developer Nepal
Engagement TypePenetration Testing, Security Audit, Bug Fixing, Implementation
ScopeWeb Applications, API Endpoints, Authentication Systems
RoleSecurity Engineer
Key DeliverableHardened Applications with Zero Critical Vulnerabilities

Technologies Used

Pen TestingSecurity AuditBug FixesEndpoint SecurityGoogle reCAPTCHA

The Challenge

Web applications in production often accumulate security debt over time — unpatched vulnerabilities, misconfigured endpoints, and weak authentication controls. The challenge was to:

  • Identify all exploitable vulnerabilities across application layers before malicious actors could.
  • Address authentication weaknesses, including lack of bot protection on login and form submission endpoints.
  • Audit existing APIs and endpoints for improper authorization, data exposure, and injection risks.
  • Remediate discovered issues without disrupting live application functionality.
  • Implement lasting security enhancements and update the application's security posture going forward.

The Solution

A structured, phased security engagement was carried out across three stages:

Phase 1 — Penetration Testing

  • Conducted black-box and grey-box penetration tests simulating real-world attacker scenarios.
  • Tested for OWASP Top 10 vulnerabilities including SQL injection, XSS, CSRF, broken authentication, and insecure direct object references (IDOR).
  • Mapped all exposed endpoints and attack surfaces, documenting exploitable paths.

Phase 2 — Security Audit & Bug Fixes

  • Performed a comprehensive code and configuration audit across application layers.
  • Identified and fixed critical and high-severity bugs including input validation gaps, session management flaws, and insecure file upload handling.
  • Reviewed database query practices and replaced vulnerable raw queries with parameterized statements.

Phase 3 — Endpoint Security & Enhancements

  • Implemented Google reCAPTCHA v3 on all public-facing forms and authentication endpoints to prevent automated bot attacks and credential stuffing.
  • Applied rate limiting and IP-based throttling to sensitive API endpoints.
  • Enforced HTTPS, updated security headers (CSP, HSTS, X-Frame-Options), and reviewed CORS policies.
  • Delivered a post-engagement security report with risk ratings, proof-of-concept findings, and remediation guidance.

Key Features

  • Full OWASP Top 10 vulnerability assessment
  • Black-box and grey-box penetration testing methodology
  • Parameterized query implementation to eliminate SQL injection
  • Google reCAPTCHA v3 integration for bot mitigation
  • Security headers enforcement (CSP, HSTS, X-Frame-Options)
  • Rate limiting on sensitive endpoints
  • Detailed findings report with severity ratings and remediation roadmap

Outcome

Following the engagement, all critical and high-severity vulnerabilities were remediated. The application's security posture was significantly improved with no remaining exploitable critical issues. Google reCAPTCHA implementation eliminated automated bot submissions on public forms, and the endpoint hardening reduced the overall attack surface substantially. A remediation report was delivered for ongoing security reference.

Next Step

Have a similar project in mind?

Let's Build it Together

Connect with Author

© 2026 Razan Sarraf. All rights reserved.

Rate this Study