Project

General

Profile

Actions
Copy link

SQA #3237

open

[SQA] Security Testing on Production Site

Added by Aman Bhuiyan 7 months ago. Updated 6 months ago.

Status:
Pending
Priority:
High
Assignee:
Aman Bhuiyan
Target version:
UAT
Start date:
09/15/2025
Due date:
% Done:

50%

Estimated time:
Spent time:
9:18 h

Description

2025-09-01 — Day 1

Coverage: Reset Password, Sign Up, Verify Email, Verify Tool, Comment Box
Activities: Manual happy-path + negative checks; header/URL review; safe replay testing (prod-safe)

Findings summary:

  • ST-001 (Medium): Reset Password & Sign Up — Verification emails originate from third-party sender ().PoC
  • ST-002 (High): Reset Password — OTP appears in URL during verification flow.PoC
  • ST-003 (Medium): Verify Email Address endpoint — No rate limit observed.PoC
  • ST-004 (High): Verify Tool — Email validation/ownership bypass risk by stripping domain in request. PoC
  • ST-005 (Medium): Comment Box — No rate limit / anti-automation controls. PoC

2025-09-02 — Day 2

Coverage: Verify My Tool, Staging API exposure, Network services/ports, Reset Password rate limiting, Main site endpoints
Activities: Manual verification flows (intercept-only, prod-safe), staging endpoint review, basic service/port checks, rate-limit header behavior review

Findings summary:

  • ST-006 (High): Verify My Tool — OTP returned in API response instead of only emailing to domain mailbox.
  • ST-007 (High, Staging): Staging API endpoint publicly lists users (/api/user-management/users/) — information disclosure.
  • ST-008 (Info/Suggestion): HTTP/1.1 DoS CVE reference noted — review DDoS protections and relevance (no exploit executed).
  • ST-009 (Medium): Port 8000 open on aiaxio.com serving another site — unexpected service exposure.
  • ST-010 (Medium): Multiple unnecessary open ports discovered (5432, 8002, 3005, 8080) — reduce attack surface.
  • ST-011 (High/Critical): Reset Password — rate-limit bypass via spoofed X-Forwarded-For/Host header.
  • ST-012 (Medium, To verify): Possible client-side desync exposure on main site / some endpoints (needs controlled validation).

2025-09-03 — Day 3

Coverage: Sign Up with Google (OAuth), Profile avatar sync, Profile Picture upload sanitation, Account deletion/session invalidation
Activities: UX/consent review for Google OAuth; cross-browser state/asset refresh checks; safe negative tests for upload validation; account lifecycle tests across concurrent sessions

Findings summary:

  • ST-013 (Medium): Sign Up with Google — No Terms & Conditions / data-collection consent shown before completing Google sign-up.
  • ST-014 (Medium): Profile icon sync — Updating profile picture in one browser does not reflect in a second logged-in browser after refresh.
  • ST-015 (High/Critical): Profile picture upload sanitation — Upload validation appears insufficient when non-image payloads are renamed with .jpg/.png. Expected: Reject non-image content even if the extension looks like an image.
  • ST-016 (High): Delete Account — After deleting the account in one browser, another pre-authenticated browser can still edit the profile.

2025-09-04 — Day 4

Coverage: Username policy/uniqueness, password reuse policy, user-management API exposure, clickjacking headers
Activities: Account creation & rename tests (case + Unicode), password reset/reuse checks, public API probe (read-only), header/iframe checks with local HTML (prod-safe)

Findings summary:

  • ST-017 (Medium): Username case-insensitivity not enforced — “Admin” and “admin” accepted as distinct usernames.
  • ST-018 (High): Username homoglyph bypass — Confusable Unicode variants bypass existing-username checks.
  • ST-019 (Medium, Suggestion): Password reuse allowed on reset — Prior passwords can be reused during reset.
  • ST-020 (High): Public user data via APIhttps://api.aiaxio.com/api/user-management/users?limit=20&offset=0&sort=asc returns user data without proper restriction.
  • ST-021 (Medium): Clickjacking risk — Missing X-Frame-Options and CSP frame-ancestors; site can be framed (tested with local clickjack.html).

2025-09-08 — Day 5

Coverage: Forgot Password (JWT handling), Sign-in redirect parameters, Origin IP exposure
Activities: JWT payload review (decode-only), callback URL redirect behavior check, passive OSINT for infrastructure exposure

Findings summary:

  • ST-022 (High): OTP exposed in JWT — Forgot Password flow returns a JWT whose decoded payload contains the OTP.
  • ST-023 (High): Open redirect on sign-incallbackUrl on /signin allows redirection to external domains (e.g., https://evil.com).
  • ST-024 (Medium/High): Origin IP exposure — Public search reveals origin IP for aiaxio.com, enabling potential WAF bypass attempts.

##Ref 01 Screenshots Drive Link
##Ref 02 Issues Sheet

Actions
Copy link

Also available in: Atom PDF