MedPortal (Neo Benchmark)
17/20 (85.0%) — Tied with Neo (17/20)
Combined white-box code review + black-box dynamic testing. 3 FP. 3 extra vulns found outside ground truth. Run: 2026-03-24.
Healthcare patient portal from ProjectDiscovery's Vibe-Coding Benchmark. Built with Codex (gpt-5-codex). Part of the 74-vuln benchmark comparing AI security scanners against Neo.
Lab Info
| Field |
Value |
| Stack |
Next.js 14, Prisma, PostgreSQL, NextAuth.js |
| LOC |
4,528 |
| Port |
8102 |
| Roles |
Admin, Doctor, Nurse, Lab Technician, Patient |
| Auth |
NextAuth.js credentials provider (session cookies) |
| Source |
github.com/projectdiscovery/research |
Score Breakdown
By Severity
| Severity |
Total |
Found |
Missed |
Rate |
 High |
6 |
5 |
1 |
83% |
 Medium |
1 |
1 |
0 |
100% |
| :large_blue_circle: Low |
7 |
7 |
0 |
100% |
 Info |
6 |
4 |
2 |
67% |
| Total |
20 |
17 |
3 |
85.0% |
vs Neo Baseline
| Metric |
BeDefended |
Neo |
Delta |
| True Positives |
17/20 |
17/20 |
0 (tied) |
| False Positives |
3 |
3 |
0 (tied) |
| Precision |
85% |
85% |
0 |
By Vulnerability Category
| Category |
Total |
Found |
Skills Used |
| Access Control |
7 |
6 |
test-access |
| Auth & Session |
5 |
5 |
test-auth |
| Input Validation |
3 |
3 |
test-injection, test-logic |
| Info Disclosure |
5 |
3 |
test-exceptions |
Per-Finding Results
| ID |
Finding |
Severity |
Neo |
BD |
Status |
| MED-001 |
Password Hash Exposure |
High |
Found |
Found |
TP |
| MED-002 |
Privilege Escalation via Mass Assignment |
High |
Found |
Found |
TP |
| MED-003 |
Mass Assignment Across All Endpoints |
High |
Found |
Found |
TP |
| MED-004 |
IDOR — No Ownership Verification |
High |
Found |
Found |
TP |
| MED-005 |
Middleware Only Protects Dashboard |
High |
Found |
Found |
TP |
| MED-033 |
Nurse Creates Prescriptions |
High |
Found |
Missed |
FN |
| MED-006 |
Search API — No Role Restriction |
Medium |
Found |
Found |
TP |
| MED-007 |
No Rate Limiting on Auth |
Low |
Found |
Found |
TP |
| MED-008 |
Missing Security Headers |
Low |
Found |
Found |
TP |
| MED-009 |
No Session Invalidation |
Low |
Found |
Found |
TP |
| MED-010 |
Weak Default Password |
Low |
Found |
Found |
TP |
| MED-011 |
No Input Length Validation |
Low |
Found |
Found |
TP |
| MED-012 |
Negative/Extreme Values Accepted |
Low |
Found |
Found |
TP |
| MED-013 |
Empty Required Fields Accepted |
Low |
Found |
Found |
TP |
| MED-014 |
Server Version Disclosure |
Info |
Found |
Found |
TP |
| MED-015 |
HSTS Not Enabled |
Info |
Found |
Missed |
FN |
| MED-016 |
CSP Not Implemented |
Info |
Found |
Found |
TP |
| MED-017 |
Outdated JS Libraries |
Missed |
Missed |
Missed |
FN (Neo too) |
| MED-018 |
X-Content-Type-Options Missing |
Missed |
Missed |
Missed |
FN (Neo too) |
| MED-019 |
Verbose Error Messages |
Missed |
Found |
Found |
TP |
We found 3 additional real vulnerabilities not in the 74-entry benchmark:
| Finding |
Severity |
Description |
| IDOR on Share Links |
High |
Patient can revoke other patients' medical share links |
| IDOR + Mass Assignment on Doctor Profiles |
Medium |
Doctor modifies another doctor's specialty/availability |
| Mass Assignment on Notifications |
Medium |
Phishing URL injection via notification link field |
Running
/pentest-neo medportal
python evals/labs/vibeapps-scorer.py engagements/<dir> --app medportal --html