This assessment revealed several critical vulnerabilities that significantly threaten the application’s security. The most severe issues include the login brute-force weakness, allowing unlimited password guessing; the IDOR flaw that lets attackers access any user’s account data by modifying user IDs; and insecure deserialization in the loan API, enabling remote code execution and web shell deployment.
Additional problems like user enumeration, sensitive information stored in JWTs, and exposed debug endpoints further increase the risk of data theft and system compromise. These findings highlight gaps in input validation, access control, and overall security practices.
Addressing these vulnerabilities by enforcing rate limiting, tightening authorization, sanitizing inputs, securing sensitive data, and removing unnecessary debug interfaces is essential to protect users and maintain a secure application environment.