2025-09-01 — Day 1¶

Coverage: Reset Password, Sign Up, Verify Email, Verify Tool, Comment Box
Activities: Manual happy-path + negative checks; header/URL review; safe replay testing (prod-safe)

Findings summary:

• ST-001 (Medium): Reset Password & Sign Up — Verification emails originate from third-party sender (support@onlinegradecalculator.io).PoC
• ST-002 (High): Reset Password — OTP appears in URL during verification flow.PoC
• ST-003 (Medium): Verify Email Address endpoint — No rate limit observed.PoC
• ST-004 (High): Verify Tool — Email validation/ownership bypass risk by stripping domain in request. PoC
• ST-005 (Medium): Comment Box — No rate limit / anti-automation controls. PoC

2025-09-02 — Day 2¶

Coverage: Verify My Tool, Staging API exposure, Network services/ports, Reset Password rate limiting, Main site endpoints
Activities: Manual verification flows (intercept-only, prod-safe), staging endpoint review, basic service/port checks, rate-limit header behavior review

Findings summary:

• ST-006 (High): Verify My Tool — OTP returned in API response instead of only emailing to domain mailbox.
• ST-007 (High, Staging): Staging API endpoint publicly lists users (/api/user-management/users/) — information disclosure.
• ST-008 (Info/Suggestion): HTTP/1.1 DoS CVE reference noted — review DDoS protections and relevance (no exploit executed).
• ST-009 (Medium): Port 8000 open on aiaxio.com serving another site — unexpected service exposure.
• ST-010 (Medium): Multiple unnecessary open ports discovered (5432, 8002, 3005, 8080) — reduce attack surface.
• ST-011 (High/Critical): Reset Password — rate-limit bypass via spoofed X-Forwarded-For/Host header.
• ST-012 (Medium, To verify): Possible client-side desync exposure on main site / some endpoints (needs controlled validation).

2025-09-03 — Day 3¶

Coverage: Sign Up with Google (OAuth), Profile avatar sync, Profile Picture upload sanitation, Account deletion/session invalidation
Activities: UX/consent review for Google OAuth; cross-browser state/asset refresh checks; safe negative tests for upload validation; account lifecycle tests across concurrent sessions

Findings summary:

• ST-013 (Medium): Sign Up with Google — No Terms & Conditions / data-collection consent shown before completing Google sign-up.
• ST-014 (Medium): Profile icon sync — Updating profile picture in one browser does not reflect in a second logged-in browser after refresh.
• ST-015 (High/Critical): Profile picture upload sanitation — Upload validation appears insufficient when non-image payloads are renamed with .jpg/.png. Expected: Reject non-image content even if the extension looks like an image.
• ST-016 (High): Delete Account — After deleting the account in one browser, another pre-authenticated browser can still edit the profile.

2025-09-04 — Day 4¶

Coverage: Username policy/uniqueness, password reuse policy, user-management API exposure, clickjacking headers
Activities: Account creation & rename tests (case + Unicode), password reset/reuse checks, public API probe (read-only), header/iframe checks with local HTML (prod-safe)

Findings summary:

• ST-017 (Medium): Username case-insensitivity not enforced — “Admin” and “admin” accepted as distinct usernames.
• ST-018 (High): Username homoglyph bypass — Confusable Unicode variants bypass existing-username checks.
• ST-019 (Medium, Suggestion): Password reuse allowed on reset — Prior passwords can be reused during reset.
• ST-020 (High): Public user data via API — https://api.aiaxio.com/api/user-management/users?limit=20&offset=0&sort=asc returns user data without proper restriction.
• ST-021 (Medium): Clickjacking risk — Missing X-Frame-Options and CSP frame-ancestors; site can be framed (tested with local clickjack.html).

2025-09-08 — Day 5¶

Coverage: Forgot Password (JWT handling), Sign-in redirect parameters, Origin IP exposure
Activities: JWT payload review (decode-only), callback URL redirect behavior check, passive OSINT for infrastructure exposure

Findings summary:

• ST-022 (High): OTP exposed in JWT — Forgot Password flow returns a JWT whose decoded payload contains the OTP.
• ST-023 (High): Open redirect on sign-in — callbackUrl on /signin allows redirection to external domains (e.g., https://evil.com).
• ST-024 (Medium/High): Origin IP exposure — Public search reveals origin IP for aiaxio.com, enabling potential WAF bypass attempts.

##Ref 01 Screenshots Drive Link
##Ref 02 Issues Sheet