2022 DormMom Security Engineering

Scope: Python Test Automation & High-Impact Security Vulnerability Discovery

Summary: I was initially brought in by DormMom to build comprehensive Selenium-based test units for their CI/CD pipeline. This testing suite focused on validating role-specific functionality across multiple user types, including end users, managers, and franchise owners.

My relationship with the client expanded after I proactively identified and reported a critical bug during testing—leading to a formal security testing engagement that uncovered multiple high-severity vulnerabilities.

---

Tasks:

• Design and implement automated UI test coverage for key features
• Ensure stable, role-aware test logic for Franchise, Manager, and User workflows
• Proactively identify bugs or gaps in the frontend/backend interface
• Scope and execute a targeted security assessment of the user portal
• Report vulnerabilities with technical recommendations

---

Actions:
Through manual security testing and code behavior analysis, I uncovered two Broken Access Control vulnerabilities (IDOR) with significant impact:

1. Full Account Takeover via Hidden Input Tampering
   • A hidden form field containing the user ID could be manipulated to modify the email of any account.
   • This allowed an attacker to trigger a password reset and gain full access to victim accounts.
   • OWASP Category: Broken Access Control → Insecure Direct Object Reference (IDOR)
2. Lateral User Data Manipulation via ID-based Input/OnClick Handlers
   • Multiple frontend features improperly exposed database user IDs via onclick handlers and input value fields.
   • This allowed users to update or overwrite data associated with other users of similar privilege (agents, clients).
   • Affected features included phone number updates, special instructions, and widget configuration.

• Wrote dozens of Python Selenium test units, validated across multiple roles and edge cases
• Delivered automated coverage for onboarding flows, franchise management, and user profile handling
• Identified a serious bug in the user profile logic and initiated security testing scope
• Manually tested frontend inputs and network behavior to uncover IDOR logic flaws
• Documented and disclosed vulnerabilities with annotated screenshots and impact analysis
• Delivered practical, low-friction security recommendations aligned with DormMom’s architecture

---

Results:

• The owner commended my test coverage and code quality, and welcomed the security audit findings
• Both vulnerabilities were acknowledged and prioritized for remediation
• I provided a secure session-based handling recommendation, helping DormMom move toward proper role isolation and access control

This engagement showcases my ability to move fluidly between automated QA, security testing, and secure coding consultation—delivering tangible value and trust across the software development lifecycle.