🔥 Vulnerable IAM Implementation

1. Insecure Login

This login form uses hard-coded credentials, lacks MFA, and generates a predictable session token.

Username Password Login

2. Insecure RBAC & Provisioning

This system assigns roles without validation and never removes old roles — causing privilege creep and orphaned access.

Assign Role (No Validation) Assign Role

Current Roles (Unvalidated + Persistent)

3. Insecure Audit Log

The audit log has: - No timestamps - No user verification - No integrity - Spoofable entries

Add Log Entry (No controls) Add Log Entry

Audit Log (Vulnerable)