Expected Findings
- `/api/internal-notes` is intentionally exposed.
- `/api/secure-report` returns 401 and should not be flagged.
- Email validation is weak but not the same as arbitrary code execution.
Calibration Target
Hybrid Modern App
This app mixes one protected route with one exposed route and a weak form validator, so scanners can distinguish true positives from noise.
Primary Flows
- Public profile Benign route
- Internal notes Real data exposure
- Secure report Intentional non-vuln control
Signals
Control Surface
publicProfile: ok; internalNotes: exposed; secureReport: 401