Signup Form

Weak Password Policy

The signup endpoint accepts 5-character passwords, never checks breach lists, and the rate limiter is global rather than per-account.

CWE-521CWE-307
Back to hub Reload scenario
Policy probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Password length minimum is 5 and only ASCII is required.
  • `password=12345` is accepted with no breach check.
  • Login attempts share a single global rate-limit bucket.
    • 
        

      


      

      

        
Signals

        
        

          
Validator

          
if len(pw) >= 5 { ok() }  // no breach check

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.