125 lines
7.6 KiB
JSON
125 lines
7.6 KiB
JSON
{
|
|
"vulnerabilities": [
|
|
{
|
|
"ID": "AUTH-VULN-01",
|
|
"vulnerability_type": "Abuse_Defenses_Missing",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "POST /verify",
|
|
"vulnerable_code_location": "/repos/inou-portal/lib/dbcore.go:330-353",
|
|
"missing_defense": "No rate limiting, account lockout, or attempt tracking on verification code validation",
|
|
"exploitation_hypothesis": "An attacker can successfully authenticate to any account by systematically trying all 1,000,000 possible 6-digit verification codes without throttling",
|
|
"suggested_exploit_technique": "brute_force_login",
|
|
"confidence": "High",
|
|
"notes": "At 100 requests/second, average success time is 83 minutes. No CAPTCHA trigger. No monitoring alerts. Target both /verify and /api/v1/auth/verify endpoints."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-02",
|
|
"vulnerability_type": "Abuse_Defenses_Missing",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "POST /send-code",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/main.go:540-557",
|
|
"missing_defense": "No per-email or per-IP rate limiting on verification code generation",
|
|
"exploitation_hypothesis": "An attacker can flood any victim's email inbox with unlimited verification codes, creating a denial-of-service condition that prevents legitimate login",
|
|
"suggested_exploit_technique": "email_flooding",
|
|
"confidence": "High",
|
|
"notes": "Only defense is trivial 2-second nonce check. Also affects /api/v1/auth/send. Can overwhelm victim inbox and SMTP server."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-03",
|
|
"vulnerability_type": "Abuse_Defenses_Missing",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "POST /oauth/token",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/oauth.go:144-296",
|
|
"missing_defense": "No rate limiting on client_secret validation attempts",
|
|
"exploitation_hypothesis": "An attacker who obtains a valid client_id can attempt to brute-force or credential-stuff the client_secret to gain OAuth access tokens",
|
|
"suggested_exploit_technique": "credential_stuffing",
|
|
"confidence": "Medium",
|
|
"notes": "Bcrypt adds computational cost but doesn't prevent attacks. Requires obtaining valid client_id first through reconnaissance or leaks."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-04",
|
|
"vulnerability_type": "Login_Flow_Logic",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "POST /verify",
|
|
"vulnerable_code_location": "/repos/inou-portal/lib/dbcore.go:351",
|
|
"missing_defense": "Session ID not rotated after successful authentication",
|
|
"exploitation_hypothesis": "An attacker can force a victim to use a known session identifier, then wait for authentication to activate the pre-set session",
|
|
"suggested_exploit_technique": "session_fixation",
|
|
"confidence": "High",
|
|
"notes": "Same dossierID used across all logins for same email. No new session ID generated on authentication. Classic session fixation pattern."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-05",
|
|
"vulnerability_type": "Session_Management_Flaw",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "GET /logout",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/main.go:638-641",
|
|
"missing_defense": "No server-side session invalidation on logout",
|
|
"exploitation_hypothesis": "An attacker who steals a session cookie maintains persistent access even after the victim logs out, as the server never invalidates the session",
|
|
"suggested_exploit_technique": "session_hijacking",
|
|
"confidence": "High",
|
|
"notes": "Logout only clears client-side cookie. No database update or session revocation. Stolen cookies work indefinitely. No mobile API logout endpoint exists."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-06",
|
|
"vulnerability_type": "Token_Management_Issue",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "POST /api/v1/auth/verify",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/api_mobile.go:136-141",
|
|
"missing_defense": "Mobile session tokens have no expiration timestamp or validation",
|
|
"exploitation_hypothesis": "An attacker who obtains a mobile SessionToken gains permanent API access with no expiration or revocation mechanism",
|
|
"suggested_exploit_technique": "token_replay",
|
|
"confidence": "High",
|
|
"notes": "SessionToken field in database has no expiry. Token generated once and reused forever. No logout endpoint for mobile. Tokens remain valid after web logout."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-07",
|
|
"vulnerability_type": "Authentication_Bypass",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "POST /api/v1/auth/verify",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/api_mobile.go:127-128, /repos/inou-portal/lib/dbcore.go:347",
|
|
"missing_defense": "Hardcoded backdoor verification code bypasses all authentication",
|
|
"exploitation_hypothesis": "An attacker can authenticate as any user by entering any email address and the backdoor code 250365, completely bypassing the email verification system",
|
|
"suggested_exploit_technique": "backdoor_authentication",
|
|
"confidence": "High",
|
|
"notes": "CRITICAL: Universal authentication bypass. Code 250365 works for any account on both web and mobile. Complete security failure. HIPAA/GDPR violation."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-08",
|
|
"vulnerability_type": "Transport_Exposure",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "POST /api/v1/auth/verify",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/api_mobile.go:256-259",
|
|
"missing_defense": "No Cache-Control: no-store header on authentication responses containing session tokens",
|
|
"exploitation_hypothesis": "An attacker with access to browser cache, proxy logs, or CDN caches can retrieve previously issued session tokens",
|
|
"suggested_exploit_technique": "cache_poisoning",
|
|
"confidence": "High",
|
|
"notes": "Affects all auth endpoints: /verify, /send-code, /api/v1/auth/send, /api/v1/auth/verify. OAuth endpoints properly set Cache-Control."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-09",
|
|
"vulnerability_type": "Transport_Exposure",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "ALL",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/main.go:1963-1964",
|
|
"missing_defense": "No HTTPS enforcement at application level and no HSTS header",
|
|
"exploitation_hypothesis": "An attacker can execute SSL stripping attacks to downgrade connections to HTTP and intercept session cookies and authentication tokens in transit",
|
|
"suggested_exploit_technique": "ssl_stripping",
|
|
"confidence": "Medium",
|
|
"notes": "Server runs on HTTP port 1080. Assumes production lacks proper TLS termination. Cookies set with Secure flag will fail over HTTP."
|
|
},
|
|
{
|
|
"ID": "AUTH-VULN-10",
|
|
"vulnerability_type": "OAuth_Flow_Issue",
|
|
"externally_exploitable": true,
|
|
"source_endpoint": "GET /oauth/authorize",
|
|
"vulnerable_code_location": "/repos/inou-portal/portal/oauth.go:62",
|
|
"missing_defense": "OAuth state parameter not enforced as required for CSRF protection",
|
|
"exploitation_hypothesis": "An attacker can craft a malicious OAuth authorization URL without state parameter and trick a victim into authorizing access to the attacker's application",
|
|
"suggested_exploit_technique": "oauth_csrf",
|
|
"confidence": "Medium",
|
|
"notes": "State accepted but not required. No minimum length validation. Social engineering required. PKCE provides partial mitigation."
|
|
}
|
|
]
|
|
}
|