| Issue | Example | |-------|---------| | No rate limiting | Attackers brute force passwords via POST /dmsviewer/login | | Predictable response messages | “Invalid username” vs “Invalid password” → user enumeration | | Missing CSRF tokens | Cross-site request forgery can force a login using attacker’s creds | | Session fixation possible | No regeneration of session ID after successful auth | | Plaintext over HTTP | Credentials sniffed on public Wi-Fi | | Backend API bypass | /dmsviewer/getDocument?id=123 accessible without auth if direct object reference exists |
Before writing, use the DMS to organize your preliminary materials. dmsviewer/login