Project

General

Profile

SQA #3237

Updated by Aman Bhuiyan 7 months ago

## 2025-09-01 — Day 1 
 **Coverage:** Reset Password, Sign Up, Verify Email, Verify Tool, Comment Box   
 **Activities:** Manual happy-path + negative checks; header/URL review; safe replay testing (prod-safe) 

 **Findings summary:** 
 - **ST-001 (Medium):** Reset Password & Sign Up — Verification emails originate from *third-party* sender (support@onlinegradecalculator.io).[PoC](https://drive.google.com/file/d/14V56u_BZEABWLVibIbPRFOHPalOHtBpm/view?usp=sharing) 
 - **ST-002 (High):** Reset Password — *OTP appears in URL* during verification flow.[PoC](https://drive.google.com/file/d/1TdrubtgbtYlj5w2I6h5eipztMPGP1OLk/view?usp=sharing) 
 - **ST-003 (Medium):** Verify Email Address endpoint — *No rate limit* observed.[PoC](https://drive.google.com/file/d/1vBHXF6uAbIQUvjeXt7xxf_dEJ8rBgdi4/view?usp=sharing) 
 - **ST-004 (High):** Verify Tool — *Email validation/ownership bypass risk* by stripping domain in request. [PoC](https://drive.google.com/file/d/1LB8PSH1VygfW9FHQMSbWNfCW5OGW9ug5/view?usp=sharing) 
 - **ST-005 (Medium):** Comment Box — *No rate limit / anti-automation* controls. [PoC](https://drive.google.com/file/d/1k6onYiGHN5VwxgwxX4YASE7mOb6MYUru/view?usp=sharing) 

 <br> 

 ## 2025-09-02 — Day 2 
 **Coverage:** Verify My Tool, Staging API exposure, Network services/ports, Reset Password rate limiting, Main site endpoints   
 **Activities:** Manual verification flows (intercept-only, prod-safe), staging endpoint review, basic service/port checks, rate-limit header behavior review 

 **Findings summary:** 
 - **ST-006 (High):** Verify My Tool — *OTP returned in API response* instead of only emailing to domain mailbox. 
 - **ST-007 (High, Staging):** Staging API endpoint publicly lists users (`/api/user-management/users/`) — *information disclosure*. 
 - **ST-008 (Info/Suggestion):** HTTP/1.1 DoS CVE reference noted — *review DDoS protections* and relevance (no exploit executed). 
 - **ST-009 (Medium):** Port **8000** open on `aiaxio.com` serving another site — *unexpected service exposure*. 
 - **ST-010 (Medium):** Multiple **unnecessary open ports** discovered (5432, 8002, 3005, 8080) — *reduce attack surface*. 
 - **ST-011 (High/Critical):** Reset Password — *rate-limit bypass via spoofed X-Forwarded-For/Host header*. 
 - **ST-012 (Medium, To verify):** Possible *client-side desync* exposure on main site / some endpoints (needs controlled validation). 

 <br> 

 ## 2025-09-03 — Day 3 
 **Coverage:** Sign Up with Google (OAuth), Profile avatar sync, Profile Picture upload sanitation, Account deletion/session invalidation   
 **Activities:** UX/consent review for Google OAuth; cross-browser state/asset refresh checks; safe negative tests for upload validation; account lifecycle tests across concurrent sessions 

 **Findings summary:** 
 - **ST-013 (Medium):** *Sign Up with Google* — No Terms & Conditions / data-collection consent shown before completing Google sign-up. 
 - **ST-014 (Medium):** *Profile icon sync* — Updating profile picture in one browser does not reflect in a second logged-in browser after refresh.  
 - **ST-015 (High/Critical):** *Profile picture upload sanitation* — Upload validation appears insufficient when non-image payloads are renamed with `.jpg/.png`. **Expected:** Reject non-image content even if the extension looks like an image.  
 - **ST-016 (High):** *Delete Account* — After deleting the account in one browser, another pre-authenticated browser can still edit the profile.  

 <br> 

 ## 2025-09-04 — Day 4 
 **Coverage:** Username policy/uniqueness, password reuse policy, user-management API exposure, clickjacking headers   
 **Activities:** Account creation & rename tests (case + Unicode), password reset/reuse checks, public API probe (read-only), header/iframe checks with local HTML (prod-safe) 

 **Findings summary:** 
 - **ST-017 (Medium):** *Username case-insensitivity not enforced* — “Admin” and “admin” accepted as distinct usernames.  
 - **ST-018 (High):** *Username homoglyph bypass* — Confusable Unicode variants bypass existing-username checks. 
 - **ST-019 (Medium, Suggestion):** *Password reuse allowed on reset* — Prior passwords can be reused during reset.  
 - **ST-020 (High):** *Public user data via API* — `https://api.aiaxio.com/api/user-management/users?limit=20&offset=0&sort=asc` returns user data without proper restriction.  
 - **ST-021 (Medium):** *Clickjacking risk* — Missing `X-Frame-Options` and CSP `frame-ancestors`; site can be framed (tested with local `clickjack.html`).  

 <br> 

 ## 2025-09-08 — Day 5 
 **Coverage:** Forgot Password (JWT handling), Sign-in redirect parameters, Origin IP exposure   
 **Activities:** JWT payload review (decode-only), callback URL redirect behavior check, passive OSINT for infrastructure exposure 

 **Findings summary:** 
 - **ST-022 (High):** *OTP exposed in JWT* — Forgot Password flow returns a JWT whose decoded payload contains the OTP.  
 - **ST-023 (High):** *Open redirect on sign-in* — `callbackUrl` on `/signin` allows redirection to external domains (e.g., `https://evil.com`).  
 - **ST-024 (Medium/High):** *Origin IP exposure* — Public search reveals origin IP for `aiaxio.com`, enabling potential WAF bypass attempts.  


  



 ##Ref 01 [Screenshots Drive Link](https://docs.google.com/spreadsheets/d/1Vy10Z0qj0YL2OQ6T__CT4vr_sH30PB72KJsa2jXBuWs/edit?gid=1148735355#gid=1148735355) 
 

 ##Ref 02 [Issues Sheet](https://docs.google.com/spreadsheets/d/1Vy10Z0qj0YL2OQ6T__CT4vr_sH30PB72KJsa2jXBuWs/edit?gid=1148735355#gid=1148735355)

Back