1. Executive Summary Vulnerability: Predictable Session Token (Insecure Cookie Construction). Description: The application implements a “Stay Logged In” feature by creating a persistent cookie. H...

1. Executive Summary Vulnerability: Broken 2FA Logic (Insecure Verification Cookie). Description: The application uses a client-side cookie (verify) to determine which user is currently performin...

1. Executive Summary Vulnerability: Broken Two-Factor Authentication (2FA) via Forced Browsing. Description: The application creates a valid, fully authenticated session cookie immediately after ...

1. Executive Summary Vulnerability: Broken Brute-Force Protection (JSON Array Injection). Description: The application accepts authentication credentials via JSON. While it likely implements rate...

1. Executive Summary Vulnerability: Information Disclosure via Account Lock Logic. Description: The application implements account locking to prevent brute-forcing. However, the system verifies t...

1. Executive Summary Vulnerability: Broken Brute-Force Protection (Counter Reset Logic Flaw). Description: The application implements a “strike system” where too many failed login attempts result...

1. Executive Summary Vulnerability: Username Enumeration via Response Timing. Description: The application processes login attempts sequentially: first, it checks if the username exists; second, ...

1. Executive Summary Vulnerability: Username Enumeration (via Subtle Textual Differences). Description: The application attempts to prevent enumeration by using the same error message (“Invalid u...

1. Executive Summary Vulnerability: Username Enumeration (via Verbose Error Messages). Description: The application provides different error messages depending on whether a submitted username exi...

1. Executive Summary Vulnerability: Cross-Site WebSocket Hijacking (CSWSH). Description: The application’s WebSocket handshake relies solely on HTTP cookies for session handling and lacks CSRF pr...