SQA #3460
open[SQA] Security Re-Testing on Aiaxio Production Site
Description
We are re-testing aiaxio to verify whether the previously identified issues have been resolved, as confirmed by the development team.
Updated by Aman Bhuiyan 6 months ago
- % Done changed from 0 to 40
- Estimated time set to 12:00 h
Issues Found¶
- R-ST-01: OTP verification request should return a 200 status with OTP, but it can be manipulated to return 200 OK even with modified status codes (500/404).
- R-ST-02: Brute force attempts on Sign In/Sign Up show a network error instead of a "too many attempts" or IP block warning.
- R-ST-03: Submitting a tool name with a space bypasses the existing tool name validation, resulting in a 201 Created response instead of an error.
- R-ST-04: The staging API endpoint exposes user data instead of returning a 403 Forbidden response.
- R-ST-05: No terms and conditions or data collection pop-up appears during sign-up with Google.
- R-ST-06: Users can reuse old passwords during the password reset process without a warning.
- R-ST-07: The system allows spaces in usernames, even though it should disallow them.
Reference¶
Updated by Aman Bhuiyan 5 months ago
R-ST-01 : Verify OTP request API sends POST to endpoint, returns 200 status with OTP.
Test Steps : Modify request status to 500/404 and forward.
Expected : OTP should go to domain email.
Actual : OTP shows in the request response.
Status : Pass
Tested Date : 30.10.2025
R-ST-02 : Brute force attempts on Sign In/Sign Up show a network error.
Test Steps : Attempt multiple Sign In/Sign Up requests.
Expected : Show "Too many attempts" or IP block warning.
Actual : Shows a network error.
Status : Fail
Tested Date : 30.10.2026
R-ST-03 : No rate limit on the Forgot Password endpoint.
Test Steps : Send multiple Forgot Password requests.
Expected : Captcha or rate limit defense.
Actual : No defense mechanism found.
Status : Fail
Tested Date : 30.10.2027
Sheet¶
ScreenShots¶
Updated by Aman Bhuiyan 5 months ago
- % Done changed from 40 to 100
R-ST-04: Nginx - Found 3 CVEs that may cause DDoS.
Test Steps: Go to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750.
Expected: DDoS defense mechanism.
Actual: Uses Nginx 1.18.0. CVEs: DDoS Attack Tool.
Status: Pending
R-ST-05: Submit page Tools Name bypass (by Case Sensitive).
Test Steps: Enter a tool name with a capital letter.
Expected: Show error or warning.
Actual: 201 Created Response.
Status: Pending
R-ST-06: Sign Up -> First Name.
Test Steps: Rendering issue on Sign-up page.
Expected: Input validation.
Actual: No sanitization.
Status: Pending
Tested Date: 31.10.2030
R-ST-07: API endpoint exposes user data.
Test Steps: Go to api.aiaxio.com/api/user-management/users/.
Expected: 403 Forbidden.
Actual: Shows all user data.
Status: Pending
Tested Date: 31.10.2031
R-ST-08: Profile Photo - No rate limit.
Test Steps: Upload high-res image.
Expected: Size limit.
Actual: No limit.
Status: Pending
Tested Date: 31.10.2032
R-ST-08: Reset Password - Reuse old password.
Test Steps: Enter previous password.
Expected: Show warning.
Actual: Password reused.
Status: Pending
Tested Date: 31.10.2034
UAT-01: Rate Limit warning - Message appears wired.
Test Steps: Click verify button multiple times.
Expected: Clear warning.
Actual: Wiered01
Status: Pending
Tested Date: 31.10.2037
UAT-02: Button - Inconsistent names.
Test Steps: Check Sign Out/Log Out buttons.
Expected: Same name.
Actual: Screenshot_2025-10-31_17_10_50.png.
Status: Pending
Tested Date: 31.10.2038