Sample reportBook an audit
Case studies / Mass assignment
Mass assignment let users grant themselves admin

AI-built SaaS, Laravel 12

Redacted case study. How a privilege-escalation bug in AI-generated code was found and fixed before launch.

Dark code terminal
14
findings
4
critical
5 days
turnaround

The challenge

A founder built a B2B SaaS with Cursor in a few weeks and was days from launch. The app handled customer data but had never been security reviewed.

The approach

A five-day AI-Code Audit Sprint: a manual review of routes, controllers, models, auth and config, backed by static analysis and dependency scanning.

What we found

The user profile update bound request input directly to the model:

// flagged $user->update($request->all()); // fix $user->update($request->validated());

Because $fillable included the role column, any user could set role=admin on their own account. Four criticals in total, including a raw-query injection and secrets committed to the repo.

The result

Every finding shipped with a fix. The team remediated in two days, we retested, and the app launched clean.

Get the same review for your app.

Book an AI-Code Audit Sprint.

Book an auditSee a sample report