{
  "vulnerabilities": [
    {
      "ID": "AUTH-VULN-01",
      "vulnerability_type": "Abuse_Defenses_Missing",
      "externally_exploitable": true,
      "source_endpoint": "POST /verify",
      "vulnerable_code_location": "/repos/inou-portal/lib/dbcore.go:330-353",
      "missing_defense": "No rate limiting, account lockout, or attempt tracking on verification code validation",
      "exploitation_hypothesis": "An attacker can successfully authenticate to any account by systematically trying all 1,000,000 possible 6-digit verification codes without throttling",
      "suggested_exploit_technique": "brute_force_login",
      "confidence": "High",
      "notes": "At 100 requests/second, average success time is 83 minutes. No CAPTCHA trigger. No monitoring alerts. Target both /verify and /api/v1/auth/verify endpoints."
    },
    {
      "ID": "AUTH-VULN-02",
      "vulnerability_type": "Abuse_Defenses_Missing",
      "externally_exploitable": true,
      "source_endpoint": "POST /send-code",
      "vulnerable_code_location": "/repos/inou-portal/portal/main.go:540-557",
      "missing_defense": "No per-email or per-IP rate limiting on verification code generation",
      "exploitation_hypothesis": "An attacker can flood any victim's email inbox with unlimited verification codes, creating a denial-of-service condition that prevents legitimate login",
      "suggested_exploit_technique": "email_flooding",
      "confidence": "High",
      "notes": "Only defense is trivial 2-second nonce check. Also affects /api/v1/auth/send. Can overwhelm victim inbox and SMTP server."
    },
    {
      "ID": "AUTH-VULN-03",
      "vulnerability_type": "Abuse_Defenses_Missing",
      "externally_exploitable": true,
      "source_endpoint": "POST /oauth/token",
      "vulnerable_code_location": "/repos/inou-portal/portal/oauth.go:144-296",
      "missing_defense": "No rate limiting on client_secret validation attempts",
      "exploitation_hypothesis": "An attacker who obtains a valid client_id can attempt to brute-force or credential-stuff the client_secret to gain OAuth access tokens",
      "suggested_exploit_technique": "credential_stuffing",
      "confidence": "Medium",
      "notes": "Bcrypt adds computational cost but doesn't prevent attacks. Requires obtaining valid client_id first through reconnaissance or leaks."
    },
    {
      "ID": "AUTH-VULN-04",
      "vulnerability_type": "Login_Flow_Logic",
      "externally_exploitable": true,
      "source_endpoint": "POST /verify",
      "vulnerable_code_location": "/repos/inou-portal/lib/dbcore.go:351",
      "missing_defense": "Session ID not rotated after successful authentication",
      "exploitation_hypothesis": "An attacker can force a victim to use a known session identifier, then wait for authentication to activate the pre-set session",
      "suggested_exploit_technique": "session_fixation",
      "confidence": "High",
      "notes": "Same dossierID used across all logins for same email. No new session ID generated on authentication. Classic session fixation pattern."
    },
    {
      "ID": "AUTH-VULN-05",
      "vulnerability_type": "Session_Management_Flaw",
      "externally_exploitable": true,
      "source_endpoint": "GET /logout",
      "vulnerable_code_location": "/repos/inou-portal/portal/main.go:638-641",
      "missing_defense": "No server-side session invalidation on logout",
      "exploitation_hypothesis": "An attacker who steals a session cookie maintains persistent access even after the victim logs out, as the server never invalidates the session",
      "suggested_exploit_technique": "session_hijacking",
      "confidence": "High",
      "notes": "Logout only clears client-side cookie. No database update or session revocation. Stolen cookies work indefinitely. No mobile API logout endpoint exists."
    },
    {
      "ID": "AUTH-VULN-06",
      "vulnerability_type": "Token_Management_Issue",
      "externally_exploitable": true,
      "source_endpoint": "POST /api/v1/auth/verify",
      "vulnerable_code_location": "/repos/inou-portal/portal/api_mobile.go:136-141",
      "missing_defense": "Mobile session tokens have no expiration timestamp or validation",
      "exploitation_hypothesis": "An attacker who obtains a mobile SessionToken gains permanent API access with no expiration or revocation mechanism",
      "suggested_exploit_technique": "token_replay",
      "confidence": "High",
      "notes": "SessionToken field in database has no expiry. Token generated once and reused forever. No logout endpoint for mobile. Tokens remain valid after web logout."
    },
    {
      "ID": "AUTH-VULN-07",
      "vulnerability_type": "Authentication_Bypass",
      "externally_exploitable": true,
      "source_endpoint": "POST /api/v1/auth/verify",
      "vulnerable_code_location": "/repos/inou-portal/portal/api_mobile.go:127-128, /repos/inou-portal/lib/dbcore.go:347",
      "missing_defense": "Hardcoded backdoor verification code bypasses all authentication",
      "exploitation_hypothesis": "An attacker can authenticate as any user by entering any email address and the backdoor code 250365, completely bypassing the email verification system",
      "suggested_exploit_technique": "backdoor_authentication",
      "confidence": "High",
      "notes": "CRITICAL: Universal authentication bypass. Code 250365 works for any account on both web and mobile. Complete security failure. HIPAA/GDPR violation."
    },
    {
      "ID": "AUTH-VULN-08",
      "vulnerability_type": "Transport_Exposure",
      "externally_exploitable": true,
      "source_endpoint": "POST /api/v1/auth/verify",
      "vulnerable_code_location": "/repos/inou-portal/portal/api_mobile.go:256-259",
      "missing_defense": "No Cache-Control: no-store header on authentication responses containing session tokens",
      "exploitation_hypothesis": "An attacker with access to browser cache, proxy logs, or CDN caches can retrieve previously issued session tokens",
      "suggested_exploit_technique": "cache_poisoning",
      "confidence": "High",
      "notes": "Affects all auth endpoints: /verify, /send-code, /api/v1/auth/send, /api/v1/auth/verify. OAuth endpoints properly set Cache-Control."
    },
    {
      "ID": "AUTH-VULN-09",
      "vulnerability_type": "Transport_Exposure",
      "externally_exploitable": true,
      "source_endpoint": "ALL",
      "vulnerable_code_location": "/repos/inou-portal/portal/main.go:1963-1964",
      "missing_defense": "No HTTPS enforcement at application level and no HSTS header",
      "exploitation_hypothesis": "An attacker can execute SSL stripping attacks to downgrade connections to HTTP and intercept session cookies and authentication tokens in transit",
      "suggested_exploit_technique": "ssl_stripping",
      "confidence": "Medium",
      "notes": "Server runs on HTTP port 1080. Assumes production lacks proper TLS termination. Cookies set with Secure flag will fail over HTTP."
    },
    {
      "ID": "AUTH-VULN-10",
      "vulnerability_type": "OAuth_Flow_Issue",
      "externally_exploitable": true,
      "source_endpoint": "GET /oauth/authorize",
      "vulnerable_code_location": "/repos/inou-portal/portal/oauth.go:62",
      "missing_defense": "OAuth state parameter not enforced as required for CSRF protection",
      "exploitation_hypothesis": "An attacker can craft a malicious OAuth authorization URL without state parameter and trick a victim into authorizing access to the attacker's application",
      "suggested_exploit_technique": "oauth_csrf",
      "confidence": "Medium",
      "notes": "State accepted but not required. No minimum length validation. Social engineering required. PKCE provides partial mitigation."
    }
  ]
}