# Security Review Sample

Target: Example Express route handler
Scope: One route module
Method: Manual review against common OWASP risks

## Summary

Three concrete findings were identified:

1. SQL injection risk from string-built query
2. Missing ownership check on record access
3. Sensitive error details returned to clients

## Findings

### 1. SQL Injection

Severity: High
Affected line: 18

Problem:
The handler interpolates `req.query.email` directly into a SQL string.

Why it matters:
An attacker can alter the query logic and extract or modify data.

Fix:
Use parameterized queries instead of string concatenation.

Example remediation:

```ts
const result = await db.query(
  "select id, email from users where email = $1",
  [req.query.email]
)
```

### 2. Broken Access Control

Severity: High
Affected lines: 26-31

Problem:
The route fetches a user record by `req.params.userId` but does not verify the
authenticated user is allowed to access it.

Why it matters:
An authenticated attacker can read other users' data by changing the path ID.

Fix:
Compare the requested resource owner with the authenticated principal before
returning data. Return `403` on mismatch.

### 3. Internal Error Leakage

Severity: Medium
Affected line: 40

Problem:
The API returns `err.stack` in the JSON response body.

Why it matters:
Stack traces leak framework paths, query details, and implementation hints that
help attackers.

Fix:
Log the full error server-side and return a generic message to the client.

Example remediation:

```ts
logger.error({ err }, "user route failed")
return res.status(500).json({ error: "internal server error" })
```

## Delivery Format

Typical full deliverable includes:

- issue title
- severity
- affected lines
- exploit or failure mode
- concrete remediation
- optional patched snippet