| A02-01 |
JWT Insecure — Algorithm 'none' |
A02 |
Critical |
9.1 |
/api/auth/me |
GET |
test-auth |
| A03-02 |
OS Command Injection (Admin Data Export) |
A03 |
Critical |
9.8 |
/api/admin/export |
POST |
test-injection |
| A03-03 |
Vulnerability Chaining: Command Injection + Path Traversal |
A03 |
Critical |
9.8 |
/api/admin/export + /api/documents |
POST + GET |
test-injection |
| A10-01 |
SSRF — Stock Quote Proxy + Actuator |
A10 |
Critical |
9.1 |
/api/stocks/quote |
GET |
test-ssrf |
| A01-01 |
Path Traversal (Document Retrieval) |
A01 |
High |
7.5 |
/api/documents |
GET |
test-injection |
| A01-02 |
Authentication Bypass (Verify Account) |
A01 |
High |
7.5 |
/api/transfers/verify/{id} |
GET |
test-access |
| A01-04 |
Horizontal Authorization Bypass (Transfer) |
A01 |
High |
8.1 |
/api/transfers |
POST |
test-access |
| A01-05 |
Vertical Authorization Bypass (Admin Export) |
A01 |
High |
8.8 |
/api/admin/export, /api/admin/users, /api/... |
POST |
test-access |
| A01-07 |
CSRF — Cross-Site Request Forgery (Fund Transfer) |
A01 |
High |
8.1 |
/api/statements/transfer |
POST |
test-client |
| A01-08 |
CORS Misconfiguration — Cross-Origin Data Theft |
A01 |
High |
7.4 |
/api/statements/accounts (and others) |
GET |
test-client |
| A02-02 |
JWT Insecure — Weak Signing Key |
A02 |
High |
8.1 |
/api/auth/login |
POST |
test-auth |
| A02-03 |
Unsafe Password Storage — Plaintext Passwords |
A02 |
High |
7.5 |
Database (people table) |
- |
test-crypto |
| A03-01 |
SQL Injection (ORDER BY) |
A03 |
High |
8.6 |
/api/accounts/{id}/transactions |
GET |
test-injection |
| A04-03 |
Arbitrary File Upload — Avatar Upload Without Server-Side Validation |
A04 |
High |
8.8 |
/api/profile/avatar |
POST |
test-logic |
| A05-02 |
Disclosure of Sensitive File (.env) |
A05 |
High |
|
/.env |
GET |
test-exceptions |
| A05-06 |
XXE — XML External Entity (Full Read) |
A05 |
High |
7.5 |
/api/report |
POST |
test-injection |
| A07-113 |
Missing Authentication via alg:none JWT |
A07 |
High |
7.5 |
/api/accounts/{id} |
GET |
test-auth |
| A01-03 |
IDOR — Direct Object Reference (Account) |
A01 |
Medium |
6.5 |
/api/accounts/{id}, /api/accounts/{id}/tra... |
GET |
test-access |
| A01-06 |
Open Redirect — Unvalidated Post-Login Redirect |
A01 |
Medium |
4.7 |
/login |
GET |
test-advanced |
| A03-04 |
Stored XSS — Persistent Cross-Site Scripting |
A03 |
Medium |
6.1 |
/api/contact |
POST |
test-injection |
| A03-05 |
DOM-based XSS — DOM Cross-Site Scripting |
A03 |
Medium |
6.1 |
/dashboard#, /search?query= |
GET |
test-injection |
| A04-01 |
Application Logic — Negative Transfer and Overdraft |
A04 |
Medium |
6.5 |
/api/transfers |
POST |
test-logic |
| A04-02 |
Client-Side Business Rule Enforcement — Suspended Account Bypass |
A04 |
Medium |
6.5 |
/api/transfers |
POST |
test-logic |
| A07-01 |
User Enumeration (Login) |
A07 |
Medium |
5.3 |
/api/auth/login |
POST |
test-auth |
| A07-02 |
Weak Password Policy — No Password Validation |
A07 |
Medium |
5.3 |
/api/settings/change-password |
PUT |
test-auth |
| A07-110 |
JWT Token Not Invalidated on Logout |
A07 |
Medium |
6.5 |
/api/accounts |
POST |
test-auth |
| A05-03 |
JavaScript Source Code Exposure (Source Maps) |
A05 |
Low |
|
/assets/*.js.map |
GET |
test-exceptions |
| A05-04 |
Stacktrace Disclosure |
A05 |
Low |
|
/api/accounts/abc |
GET |
test-exceptions |
| A05-05 |
HTTP Security Response Headers Missing |
A05 |
Low |
|
All endpoints |
GET/POST |
test-client |
| A05-07 |
Clickjacking — UI Redressing Attack |
A05 |
Low |
|
Any SPA endpoint (/transfer, /accounts) |
GET |
test-client |
| A05-01 |
Information Disclosure: Server Header |
A05 |
Informational |
|
Any endpoint |
GET/POST |
test-exceptions |