How Korrosiv.AI Reverse-Engineered a Government Agency to Find a Critical IDOR
Why the next critical vulnerability won't be found by a human pentester under time pressure - and how Korrosiv.AI reverse-engineered JavaScript bundles to prove it.
The Setup
Korrosiv.AI was scoped against two routes on a government web application - both related to MFA security question management. The platform was a typical modern stack: React SPA frontend, microservice APIs behind it.
The routes were client-side only. No backend endpoints answered. A scanner would have flagged two 404s and moved on. Korrosiv.AI recognised the React SPA pattern and asked a different question: if these routes exist in the frontend, where does the actual MFA logic live?
Phase 1: Reverse-Engineering the JavaScript
Korrosiv.AI downloaded the application's main JavaScript bundle and began parsing it. It identified the API dispatch function used across the application, the service name mapping that resolved to backend base URLs, and all API endpoints compiled into the main bundle.
But the MFA security question endpoints weren't in the main bundle. They were in lazy-loaded webpack chunks - separate JavaScript files only fetched when a user navigated to specific routes.
Korrosiv.AI traced the React component tree, identified which chunks contained the security question components, resolved the chunk hashes from the webpack manifest, fetched the chunk files, and extracted the actual API endpoints - including MFA configuration and security question submission routes.
It then extracted all service base URLs from the main bundle, giving it full absolute API paths to test against.
Phase 2: Testing and Pivoting
Korrosiv.AI tested the MFA configuration endpoints. They were properly protected - a session-level check rejected unauthenticated requests with a clear error message. IDOR attempts with user ID parameters, path manipulation, and body injection all failed.
Most human pentesters would have stopped here. All endpoints returned appropriate error codes. No obvious vulnerabilities. Time to move to the next target in scope.
But Korrosiv.AI didn't stop. It pivoted.
Phase 3: The Password Reset Flow
Korrosiv.AI shifted its attention to the password reset flow - a different feature that also involved security questions. It fetched another lazy-loaded chunk (the recover-access component) and found a different endpoint - one that sat in the password reset flow rather than the MFA configuration flow.
This endpoint accepted a username query parameter instead of relying on a session cookie. And crucially - it had no authentication check at all.
Korrosiv.AI tested it without any cookies:
{
"factorType": "SECURITY_QUESTION",
"questionAndAnswers": [
{
"securityQuestion": { "question": "What was the name of your first pet?" },
"secretAnswer": { "answer": "████████" }
},
{
"securityQuestion": { "question": "What is the name of the street you grew up on?" },
"secretAnswer": { "answer": "████████" }
},
{
"securityQuestion": { "question": "What is your mother's maiden name?" },
"secretAnswer": { "answer": "████████" }
}
]
}Any user's security questions and plaintext answers, returned to anyone who knew their email address. A critical IDOR enabling full MFA bypass and account takeover.
The Kill Chain
The full attack path, from dead endpoints to critical account takeover:
Assigned MFA endpoints return 404 - they're client-side routes, not backend APIs
Identify the React SPA pattern and pivot to JavaScript analysis
Parse the main JS bundle, trace lazy-loaded webpack chunks, extract hidden API endpoints
MFA configuration endpoints properly protected - session-level auth blocks all IDOR attempts
Shift to the password reset flow - a different feature using the same underlying data
Unauthenticated endpoint returns any user's security questions and plaintext answers - full MFA bypass
Total time from first request to confirmed critical finding: approximately 12 minutes across 94 turns of autonomous analysis.
What Makes This an AI-Native Finding
This vulnerability required a chain of reasoning that human pentesters rarely have the time to pursue:
- Architectural understanding. Recognising a React SPA and knowing that client-side routes don't correspond to backend endpoints.
- JavaScript analysis. Parsing webpack bundles, tracing lazy-loaded chunks, resolving chunk hashes, and extracting API endpoints across multiple files.
- Contextual reasoning. Understanding that the MFA configuration flow and the password reset flow might use similar but differently protected endpoints.
- Strategic pivoting. When the MFA endpoints were properly secured, shifting to a related feature that shared the same underlying data.
- Persistence. 94 turns of analysis, not a single-pass scan. Korrosiv.AI kept pulling threads until it found the gap.
A human pentester under typical engagement time pressure would be unlikely to make the connection between a webpack chunk, a lazy-loaded component, and a password reset flow that shared data with a different authentication feature. They would have tested the assigned endpoints, logged the 404, and moved on to other targets. The vulnerability would have remained undiscovered.
This finding was discovered by Korrosiv.AI during development testing and responsibly disclosed to the vendor. Read our other case study or view our full track record.