| A02-03 |
JWT Algorithm 'none' — Unsigned Tokens Accepted |
A02 |
Critical |
9.1 |
/api/jwt/userinfo, /api/jwt/admin |
POST |
test-auth |
| A03-002 |
Sensitive Data Exposure via XXE (appsettings.json) |
A03 |
Critical |
9.1 |
/ViewAccount/GenerateReport |
POST |
test-injection |
| A03-01 |
SQL Injection (Login) — Error-Based Data Extraction |
A03 |
Critical |
9.8 |
/Account/Login |
POST |
test-injection |
| A03-03 |
Command Injection — OS Command Execution |
A03 |
Critical |
9.8 |
/KnowledgeBase/ViewPage |
GET |
test-injection |
| A07-03 |
Execute SQL Secret Phrase Bypass |
A07 |
Critical |
9.8 |
/ExecuteSQL/Submit |
POST |
test-auth |
| A10-01 |
SSRF — Internal URL Requests |
A10 |
Critical |
9.1 |
/PartnerBank |
POST |
test-ssrf |
| A01-01 |
SQL Injection (order) — Account Data Extraction |
A01 |
High |
8.6 |
/ViewAccount |
GET |
test-injection |
| A01-03 |
Broken Function Level Authorization — List All Accounts |
A01 |
High |
7.5 |
/api/accounts |
GET |
test-access |
| A01-04 |
Unauthorized Account Deletion |
A01 |
High |
8.1 |
/api/accounts/{id} |
DELETE |
test-access |
| A01-05 |
Mass Assignment / Overposting — Admin Role Assignment |
A01 |
High |
8.8 |
/Register/Index |
POST |
test-access |
| A01-07 |
Path Traversal — File Read Outside Directory |
A01 |
High |
7.5 |
/KnowledgeBase/ViewPage |
GET |
test-injection |
| A02-01 |
Plaintext Passwords in Database |
A02 |
High |
7.5 |
Database (Users table) |
- |
test-crypto |
| A02-02 |
Hardcoded JWT Secret — Weak Fixed Key |
A02 |
High |
8.1 |
/api/TokenService |
POST |
test-auth |
| A02-040 |
Cleartext HTTP-Only Service (No HTTPS/TLS) |
A02 |
High |
6.9 |
/ |
GET |
test-crypto |
| A03-02 |
SQL Injection (order) — UNION-Based Data Extraction |
A03 |
High |
8.6 |
/ViewAccount |
GET |
test-injection |
| A03-04 |
XXE (GenerateReport) — Local File Read via External Entity |
A03 |
High |
7.5 |
/ViewAccount/GenerateReport |
POST |
test-injection |
| A03-05 |
XXE (ExportProfileConfig) — File Disclosure via XXE |
A03 |
High |
7.5 |
/Home/ExportProfileConfig |
POST |
test-injection |
| A04-01 |
CSRF — Cross-Site Fund Transfer and Email Change |
A04 |
High |
8.1 |
/TransferFund, /ChangeEmail |
POST |
test-client |
| A04-03 |
Client-Side Only Validation — File Upload Bypass |
A04 |
High |
8.8 |
/UploadContent |
POST |
test-logic |
| A05-02 |
CORS Allow All Origins — Credentials with Wildcard |
A05 |
High |
7.4 |
Global (API endpoints) |
GET/POST |
test-client |
| A07-02 |
No Account Lockout — Unlimited Brute Force |
A07 |
High |
7.5 |
/Account/Login |
POST |
test-auth |
| A01-02 |
IDOR — Account Enumeration |
A01 |
Medium |
6.5 |
/api/accounts/{id} |
GET |
test-access |
| A01-06 |
Open Redirect |
A01 |
Medium |
4.7 |
/Account/Login |
GET |
test-advanced |
| A02-015 |
Insecure Session Cookie Configuration (Missing HttpOnly/Secure/SameSite) |
A02 |
Medium |
4.3 |
/ |
GET |
test-crypto |
| A02-04 |
JWT No Expiration — Tokens Valid Indefinitely |
A02 |
Medium |
5.4 |
/api/TokenService |
POST |
test-auth |
| A03-06 |
DOM XSS (Hash) — JavaScript Execution via URL Fragment |
A03 |
Medium |
6.1 |
/ (Home page) |
GET |
test-injection |
| A03-07 |
Reflected XSS (Login) — XSS in Error Message |
A03 |
Medium |
6.1 |
/Account/Login |
POST |
test-injection |
| A03-08 |
Stored XSS (Forum) — Persistent XSS in Post Titles |
A03 |
Medium |
6.1 |
/Forum |
POST |
test-injection |
| A03-09 |
XSS (Audit Log Search) — XSS in Search Field |
A03 |
Medium |
6.1 |
/SecurityAudit |
GET |
test-injection |
| A03-10 |
Log Injection / CRLF — Falsified Log Entries |
A03 |
Medium |
5.3 |
/Account/Login |
POST |
test-advanced |
| A04-02 |
Race Condition — Overdraft via Concurrent Transfers |
A04 |
Medium |
6.5 |
/TransferFund |
POST |
test-logic |
| A04-036 |
Missing Rate Limiting on Fund Transfer |
A04 |
Medium |
5.1 |
/api/transfers |
POST |
test-logic |
| A05-03 |
Weak Password Policy — Single Character Password Accepted |
A05 |
Medium |
5.3 |
/Register/Index |
POST |
test-auth |
| A05-033 |
ASP.NET Core Running in Development Mode (ASPNETCORE_ENVIRONMENT=Development) |
A05 |
Medium |
5.3 |
/ |
GET |
test-exceptions |
| A05-037 |
Internal Network Topology Leaked via Error Page (Docker IPs/Proxy Config) |
A05 |
Medium |
5.1 |
/ |
GET |
test-exceptions |
| A05-041 |
IIS Detailed Error Pages Expose Physical Paths |
A05 |
Medium |
5.3 |
/ |
GET |
test-exceptions |
| A05-18 |
Missing Security Headers (HSTS/CSP/X-Frame-Options) |
A05 |
Medium |
5.3 |
/ |
GET |
test-exceptions |
| A06-01 |
jQuery 3.4.1 (CVE-2020-11022/11023) — XSS via htmlPrefilter |
A06 |
Medium |
6.1 |
Frontend (all pages) |
- |
test-supply-chain |
| A06-02 |
Newtonsoft.Json 13.0.1 — Known Security Advisory |
A06 |
Medium |
|
Backend |
- |
test-supply-chain |
| A06-03 |
System.Data.SqlClient 4.8.3 — Known CVEs |
A06 |
Medium |
|
Backend |
- |
test-supply-chain |
| A07-01 |
User Enumeration — Different Messages Reveal Existing Users |
A07 |
Medium |
5.3 |
/Account/Login |
POST |
test-auth |
| A07-034 |
Insufficient Session Invalidation After Logout |
A07 |
Medium |
6.9 |
/account/logout |
POST |
test-auth |
| A09-01 |
Unauthenticated Log Access — Public Security Logs |
A09 |
Medium |
5.3 |
/SecurityAudit |
GET |
test-access |
| A09-02 |
XSS in Security Audit — XSS in Log Viewer |
A09 |
Medium |
6.1 |
/SecurityAudit |
GET |
test-injection |
| A05-01 |
Verbose Error Messages — Full Stack Trace Exposed |
A05 |
Low |
|
Global (e.g. /ViewAccount, /Betafeature) |
GET |
test-exceptions |
| A05-024 |
HTTP Method Tampering (PUT/DELETE on GET endpoints) |
A05 |
Low |
3.1 |
/Home, /SecurityAudit, /KnowledgeBase |
PUT/DELETE/PATCH |
test-advanced |
| A05-04 |
Swagger UI Exposed — Unauthenticated API Documentation |
A05 |
Low |
|
/swagger |
GET |
test-exceptions |