Neural Agent Testing โ AI-powered quality platform
The Demo Store platform has significant security vulnerabilities requiring urgent remediation before launch, alongside functional test failures and performance issues on high-traffic pages.
โ Critical Actions Required
The checkout shipping page has a visual regression (button colour change + header layout shift), a missing form labels accessibility violation, is the worst-performing page (score: 68, TTFB: 478ms), and has a functional test failure (T-015: UK postcode rejected). Changes in release/v2.4.0 introduced multiple issues simultaneously โ prioritise a coordinated fix.
The Electronics category page has 34 images missing alt text (WCAG 1.1.1) and is also the second-worst performing page (score: 78). Implementing the image optimisation pipeline (WebP + lazy loading) provides an opportunity to add alt attributes simultaneously โ one change addresses both issues.
The mobile homepage has a visual regression (header layout shift at 375px) correlated with the CTA button colour contrast violation. Both appear caused by the same CSS theme update that was not tested at mobile breakpoints.
Scanned 34 endpoints in 187s ยท 2 Critical ยท 3 High ยท 5 Medium ยท 8 Low
| Severity | CVSS | Finding | Endpoint | CWE |
|---|---|---|---|---|
| Critical | 9.8 | SQL Injection in product search User input passed directly to SQL โ full DB accessible |
GET /api/v1/products/search | CWE-89 |
| Critical | 9.1 | Guessable password reset tokens 6-digit timestamp-based tokens, brute-forced in 11 attempts |
POST /api/v1/auth/reset-password | CWE-287 |
| High | 8.6 | SSRF via webhook URL โ internal network access AWS metadata endpoint accessible via webhook registration |
POST /api/v1/webhooks | CWE-918 |
| High | 8.2 | Stored XSS in product reviews Script executes for all users viewing affected product |
POST /api/v1/products/{id}/reviews | CWE-79 |
| High | 8.0 | Mass assignment โ privilege escalation via registration admin=true in registration payload creates admin accounts |
POST /api/v1/auth/register | CWE-915 |
| Medium | 6.5 | No rate limiting on checkout | POST /api/v1/checkout | CWE-770 |
| Medium | 5.9 | Order enumeration โ sequential IDs | GET /api/v1/orders/{order_id} | CWE-639 |
| Medium | 5.7 | Admin analytics accessible to standard users | GET /api/v1/admin/analytics/revenue | CWE-285 |
| Low | 4.3 | CORS wildcard on authenticated endpoints | GET /api/v1/profile | CWE-942 |
| Low | 3.7 | Missing security headers (CSP, HSTS, X-Frame-Options) | ALL endpoints | CWE-16 |
90.4% pass rate โ 3 failures require immediate attention
Failed Tests
| ID | Category | Test Name | Status | Failure Details |
|---|---|---|---|---|
| T-014 | checkout_flow | Guest checkout completes without account creation | Failed |
Error
Expected: /order-confirmation Actual: /checkout/step-2 TypeError: Cannot read properties of undefined (reading 'guestSession') at checkout.js:342 |
| T-015 | checkout_flow | International shipping โ UK postcode format accepted | Failed |
Error
Expected: Valid
Actual: Error: Invalid postcode format
Regex ^[0-9]{5}$ does not match non-US formats
|
| T-036 | user_profile | Notification preferences save correctly | Failed |
Error
Email notification toggle reverted to ON after reload PUT /api/v1/profile/notifications โ 200 GET /api/v1/profile โ stale value (cache issue) |
Compared 12 pages ยท 2 diffs detected ยท 10 no change ยท Threshold: 0.5%
Overall Score: 87% ยท 3 violations ยท 5 warnings ยท 61 checks passed
Overall Score: 82/100 ยท 5 pages tested ยท 2 below threshold