AVT

Checking the framework and language used.

Checking for PE security features.

Config file reveals database credentials. Even though it's encrypted, it can be decrypted becuase the IV and key are visible.

Sensitive information stored in registry. Although only admins can read.

No code obfuscation in use.

Passwords stored in memory.

Used VCG to quickly scan code for other vulnerabilities.

No prepared statements in use. So can pull off the classic auth bypass.