brain
projects

solve-intelligence-test

Description: _No description_

README

Solve Intelligence API Security Assessment

This repository contains the results of an initial black-box security assessment conducted on the /auth/signup and /auth/signin API endpoints of https://api.solveintelligence.com. The goal was to identify potential vulnerabilities according to the OWASP API Security Top 10 (2023).

Summary

The assessment revealed critical security flaws, primarily stemming from a severe lack of rate limiting (API4:2023) on both authentication endpoints. This deficiency directly enables user enumeration and brute-force attacks (API2:2023). Additional significant concerns include potential mass assignment (API3:2023) and aspects of security misconfiguration (API7:2023). These issues collectively expose the platform to Denial of Service (DoS), account compromise, and sensitive data leakage. Immediate and robust remediation is strongly recommended.

Detailed Findings & OWASP API Security Top 10 Alignment

1. Unrestricted Resource Consumption (OWASP API4:2023) - Severity: Critical

Vulnerability: Endpoints lack effective rate limiting, allowing unbounded request volumes.

Observations:

  • /signup: 200+ rapid requests (0.1s/req) returned HTTP 200 OK with "No valid subscription..." message, no HTTP 429 or throttling observed.
  • /signin: 50+ consecutive failed login attempts showed no HTTP 429 or account lockout.

Impact: Direct susceptibility to Denial of Service (DoS), enables unhindered brute-force/credential stuffing.

Recommendation: Implement strict IP-based and per-account rate limits. For /signup, apply 5-10 req/min/IP. For /signin, enforce 3-5 failed req/min/IP/account, triggering account lockout/CAPTCHA. Return HTTP 429 with Retry-After.

2. Broken Authentication (OWASP API2:2023) - Severity: Critical

Vulnerability: Susceptible to user enumeration and unmitigated brute-force attacks.

Observations:

  • User Enumeration: /signup's distinct "No valid subscription..." error confirms email existence, distinguishing valid from non-existent accounts.
  • Easy Email Discovery: Registered emails can be easily identified through simple API requests. For example, chris@solveintelligence.com was confirmed as a registered user through basic enumeration techniques.
  • Brute-Force: Absence of rate limits (per API4) permits unlimited credential guessing.

Impact: Direct path to account takeover, enables compilation of verified user lists for targeted attacks.

Recommendation: Implement generic, uniform error messages for all failed authentication/registration (e.g., "Invalid credentials"). Enforce account lockout policies.

Example User Enumeration Request:

curl --location 'https://api.solveintelligence.com/auth/signin' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0' \
--header 'Accept: */*' \
--header 'Accept-Language: en-US,en;q=0.5' \
--header 'Accept-Encoding: gzip, deflate, br, zstd' \
--header 'Referer: https://copilot.solveintelligence.com/' \
--header 'content-type: application/json' \
--header 'fdi-version: 1.17,1.18,1.19' \
--header 'rid: thirdpartyemailpassword' \
--header 'st-auth-mode: cookie' \
--header 'Origin: https://copilot.solveintelligence.com' \
--header 'Connection: keep-alive' \
--header 'Cookie: us_st-last-access-token-update=1752501682382' \
--header 'Sec-Fetch-Dest: empty' \
--header 'Sec-Fetch-Mode: cors' \
--header 'Sec-Fetch-Site: same-site' \
--header 'Priority: u=0' \
--header 'Pragma: no-cache' \
--header 'Cache-Control: no-cache' \
--header 'TE: trailers' \
--data-raw '{"formFields":[{"id":"email","value":"chris@solveintelligence.com"},{"id":"password","value":"!@#$%^^&*(12345ASd"}]}'

3. Input Validation & Injection (OWASP API8:2023 / API10:2023) - Severity: Critical

Vulnerability: Severely deficient input validation creates a highly forgiving attack surface for injection attacks.

Observations:

  • All invalid inputs (oversized, malformed JSON, SQL injection payloads) return HTTP 200 OK with generic {"status":"FIELD_ERROR","formFields":[{"id":"password","error":"Field is not optional"}]}
  • No granular validation for length, format, or content - only basic field presence checks
  • Malformed JSON accepted without proper parsing errors

Impact: High injection risk, scanner evasion through consistent HTTP 200 responses, unpredictable behavior enabling security bypasses.

Recommendation: Implement strict server-side validation with proper HTTP status codes (400/422 for invalid input), JSON schema validation, and specific error messages. Never return HTTP 200 OK for invalid input.

✅ Conclusion & Next Steps

Solve Intelligence's authentication and registration APIs exhibit fundamental security weaknesses with high potential impact. Immediate prioritization of robust rate limiting and uniform, generic error messages is critical to mitigate direct and severe risks of account compromise and DoS. Further hardening of input validation, mass assignment prevention, and overall security configurations is essential for establishing a resilient API surface.

⚠️ Disclaimer

This assessment was performed from a black-box perspective based on publicly accessible API endpoints. No internal systems, source code or privileged access were utilized. All tests were conducted responsibly and within ethical boundaries to identify potential vulnerabilities without causing harm.