Case study
Licensed European Sportsbook
Grey-box assessment against a high-traffic sportsbook. Critical IDOR chain on wallet endpoint allowed balance manipulation across tenants.
Findings summary
Problem
The brief.
A licensed European sportsbook with seven-figure daily turnover needed a pre-audit security assessment before a regulator refresh. Two prior firms had delivered clean reports; the CTO wanted an adversarial perspective focused on business-logic flows: wallet, bet placement, and payout rails.
Approach
How we ran it.
Three-week grey-box engagement. Focused on tenant isolation, bet-settlement race conditions, and wallet mutation endpoints. Manual testing across REST and WebSocket APIs, backed by custom scripts for fuzzing the bet-placement flow.
Result
What changed.
Two Critical IDOR findings chained into cross-tenant balance manipulation — one of them reproducible in two HTTP requests. Four High findings spanning promo abuse, OTP rate-limit bypass, and withdrawal race conditions. Full remediation delivered in three sprints; retest confirmed zero regressions.
Methodology
What we did.
- OWASP ASVS Level 3 coverage
- WebSocket + REST fuzzing
- Business-logic attack tree
- Retest within 30 days
Outcome
Prevented cross-tenant balance manipulation at scale. All critical and high findings patched within 30 days; retest closed with zero outstanding issues.
The report read like an internal postmortem — clear root-cause, clean PoCs, and remediation that our engineers actually implemented in a sprint. Easily the most useful pentest we have commissioned.