Actions
SQA #3592
open[SQA] Security Assessment of aiaxio: Testing for XSS, IDOR, and Session Misconfiguration Vulnerabilities
Updated by Aman Bhuiyan 5 months ago
- Subject changed from Security Assessment of aiaxio: Testing for XSS, IDOR, and Session Misconfiguration Vulnerabilities to [SQA] Security Assessment of aiaxio: Testing for XSS, IDOR, and Session Misconfiguration Vulnerabilities
- % Done changed from 50 to 70
Summary¶
Identified several critical and medium-severity security issues during testing on the Aiaxio platform.
- Rendering issue with the HTML input field for 'First Name' on the Sign-up page.
- The API endpoint exposes user data.
- The upload profile photo option lacks rate limiting, potentially leading to a pixel flood.
- Users can reuse old passwords during the password change process.
- Some IPs are exposed with open ports during port scanning on the Aiaxio domain.
- Aiaxio Origin IP is exposed.
- Cross-site scripting (XSS) vulnerability in the 'First Name' input field, rendered on the email.
- The error page appears suddenly when clicking on "Sign up with Google."
- A strange error was encountered when attempting to sign up for the second time after a previous sign-up was deleted.
- The 'Full Name' field accepts HTML input, which is automatically treated as a username.
- Previous session cookies are not expired after changing the password.
- The IP rate limit warning message appears wired.
- Two different name buttons, "Sign Out" and "Log Out", which seem inconsistent.
- The username field accepts excessively large strings.
- The profile settings page lacks options to view or change the email address.
- The dashboard's 'Your Profile' card has a responsiveness issue with long usernames.
Proof of Concept¶
Actions