Hawthorn Security

Identifying vulnerabilities before they become threats.

Services

We find it,
before they do

Hawthorn Security specialises in hands-on penetration testing and security auditing for web systems, mobile applications, server infrastructure, and the people who use them. We know the stacks you build on because we build on them too.

Web & PHP
Code Auditing

Deep-dive security audits of PHP applications, Laravel codebases, and web platforms. We go beyond automated scanning to manually review your source code for injection flaws, authentication bypasses, and business logic vulnerabilities.

Flutter & Mobile
App Auditing

Security assessments of Flutter, iOS, and Android applications. We test data storage, API communications, certificate pinning, reverse engineering resilience, and platform-specific attack vectors unique to mobile.

Server & Infra
Pen Testing

Internal and external penetration testing of your server infrastructure. Linux hardening reviews, cloud configuration audits, network segmentation testing, and privilege escalation assessments across your entire stack.

Corporate Social
Engineering

Targeted phishing campaigns, pretexting, vishing, and physical access testing tailored to your organisation. We expose the human vulnerabilities that no firewall can patch and help you build a security-aware culture.

About us

Approach and
philosophy

Hawthorn Security exists because we've spent over 16 years building the same systems we now break. Our background in PHP, Laravel, Flutter, and Linux infrastructure means we audit your code and servers with the mindset of someone who's shipped production software, not just scanned it.

We pair deep technical testing with corporate social engineering to give you a complete picture of your exposure. Every engagement is handled with discretion, delivered with clarity, and focused on actionable outcomes rather than padded reports.

Capabilities

What we
specialise in

PHP & Laravel Source Code Review

Manual line-by-line auditing of your PHP codebase. SQL injection, mass assignment, insecure deserialization, broken access control, and framework-specific misconfigurations in Laravel, Symfony, and vanilla PHP.

Flutter & Dart Security Analysis

Reverse engineering of Flutter binaries, Dart source review, API token leakage, insecure local storage, and platform channel security across both iOS and Android builds.

Linux & Cloud Infrastructure Auditing

SSH hardening, firewall rule review, container escape testing, privilege escalation chains, and cloud misconfigurations across AWS, DigitalOcean, and bare-metal environments.

Phishing & Social Engineering Campaigns

Bespoke phishing simulations, pretexting calls, physical tailgating assessments, and USB drop tests. Full reporting with staff awareness metrics and recommended training paths.

Case Studies

Four criticals,
one legacy stack

A confidential engagement for a client operating a long-lived PHP application. We were given full source access for a combined white-box code review and penetration test. Within a short assessment window we identified four high-impact vulnerabilities, each formally documented and delivered as a remediation-focused report. The client is unnamed under NDA; the findings below are shared with permission and generalised so no system is identifiable.

Engagement at a glance

Scope

White-box review & penetration test of a legacy PHP application

Full source access

Result

Four high-to-critical findings, each with a working proof of concept

Short assessment window

Delivery

Formal written report with severity ratings and prioritised remediation

Client under NDA

Key findings

Critical · Authentication

Account Takeover via Mobile OAuth

An exposed endpoint in the mobile OAuth flow could be coerced into issuing a valid session token for any account, needing nothing more than the target's email address. In practice this meant full impersonation of any user, including privileged ones. Root cause was a missing authorisation check on a token-issuing route; remediated by binding token issuance to an authenticated, verified device grant.

Critical · Injection

Remote Code Execution

User-controlled input reached a system shell context through a query parameter, allowing arbitrary commands to run on the host and, from there, full system access. We demonstrated controlled command execution without disrupting the live environment. Remediated by removing the shell call in favour of a safe native API and strictly validating all input.

High · SSRF

Server-Side Request Forgery

A server-side fetch built on file_get_contents() trusted a user-supplied target, letting an attacker make the server issue requests to arbitrary remote and internal endpoints. This opens the door to internal network reconnaissance and cloud metadata theft. Remediated with an allow-list of permitted hosts and protocol restrictions on outbound requests.

High · XSS

Cross-Site Scripting via Sharing

Several front-end fields rendered user input without escaping. Combined with the application's built-in sharing feature, this let a malicious payload be delivered straight to other users, turning a routine share into a vehicle for session theft and account compromise. Remediated with context-aware output encoding and a content security policy.

Each issue was reproduced, evidenced, and handed over with a clear, prioritised remediation path. Having source access let us trace every finding to its root cause rather than stopping at the symptom — the difference between patching one endpoint and fixing the pattern across the codebase.

Toolkit

Technologies & Tools

Burp Suite
Semgrep
Nmap
Frida
Metasploit
GoPhish
Kali Linux
MobSF
Contact

Request a
consultation

Ready to understand your security posture? Whether you need a penetration test, a threat assessment, or simply want to discuss your organisation's security needs, get in touch. All enquiries are handled with complete discretion.

Done!

Thanks for your message. We'll get back to you as soon as possible.