Phase 3 — Authenticated Web Testing
Date: 2026-04-26 Authenticated as:
dmitry.makarichev@corezoid.com (user_id 65281,
is_super_user: true) HAR file:
admin.corezoid.com.har (10 entries, 5 unique URLs)
Session status: LIVE — confirmed by
/auth/me replay returning 200 with user profile
Session / cookie analysis
Auth uses session cookies, not bearer tokens. Three cookies involved:
sid— likely Express.js session (s:-prefixed signed format) — not required for admin API authmw— auth cookie,Domain=.corezoid.com(cross-subdomain),HttpOnly,Secure, no SameSite (Lax default)__Host_mw— same value asmw,Domain=.corezoid.com,SameSite=Strict
Key discovery: auth requires BOTH
mw AND __Host_mw for POST endpoints,
but some GET endpoints accept mw alone: |
Endpoint | mw alone | Both cookies | |---|---|---| |
GET /auth/me | ✅ returns profile + superuser status | ✅ |
| GET /auth/me/state_changes | ✅ returns financial data |
✅ | | GET /system/conf | ✅ returns full config | ✅ | |
GET /logout | ✅ logs out | ✅ | |
POST /auth/me | ❌ {"redirect":"/enter"} | ✅
| | POST /api/2/json | ❌
{"proc":"error","description":"cookie or headers are not valid"}
| ✅ |
Filed as CRZ-008 — Medium severity.
/api/2/json endpoint behavior
- Method enforcement: POST only (
GETreturns"Not allowed GET method, use POST") - Content-Type enforcement:
application/jsonrequired (text/plaingets"cookie or headers are not valid") - Both auth cookies required
- Rejects negative obj_ids:
"Value's limit is less than minimum allowed: 0" - No type confusion: unknown obj types return
"bad object"
IDOR tests — DEFENSE HOLDS
| Test | Result |
|---|---|
| List companies user belongs to | Returns full list (expected — CTO is member of several customer companies) |
get company obj_id=<random_foreign_id> |
"User has no rights" (consistent, no ID enumeration
leak) |
get company obj_id=<non-existent> |
"User has no rights" (same error as above — no
distinction) |
list folder obj_id=<random> |
"Object folder with id X does not exist" (distinct
error — mild info leak on ID enum) |
| Superuser bypass on company-scope ops | "User has no rights" — superuser role does NOT
bypass company-level privs |
The company/folder authorization is working correctly. No IDOR demonstrated.
Object-type enumeration (info-level)
The list endpoint leaks which obj names are valid via
differential errors:
company,folder,path_to_folder,conv— valid (return ok/does-not-exist)group,node— valid with different required paramsuser,user_api,process,conv_version,script,task,call,state_change,webhook,trigger,priv,process_template—"bad object"(but may be accessible via different ops)
/system/conf exposed data
Authenticated GET returns:
backend_settings.code_engine.js: 13.1.201.9— JavaScript runtime version (Node 13.1 is EOL June 2020)backend_settings.code_engine.erl: 24— Erlang/OTP 24 (released 2021, current 27)captcha.key— reCAPTCHA site key (public by design — not a leak)stripe.key: pk_live_rHVS21A6ssJRlwXdiptwGhwY— Stripe publishable key (public by design — not a leak)feedback_urlwith embedded 40-char hex token — Corezoid public webhook, token is supposed to be public for feedback form. Not a leak.workspace_whitelist— 27 internal workspace IDs disclosed to any authenticated user; enables enumeration of internal workspaces but only within this user's visibility
Cross-origin test
- Request with
Origin: https://evil.attacker.com→ processed and returned 200 with data (the server does not validate Origin for POST) - Response has no Access-Control-Allow-Origin → browser blocks JS from reading the response (CORS SOP intact)
- Preflight
OPTIONSreturns 405 → pre-flighted requests are blocked - Verdict: Classic cross-origin JSON requests from malicious sites are blocked by browser CORS enforcement. Server-side Origin validation would be defense-in-depth but the current setup is safe for browser attacks.
Simulator mw HAR — essentially empty
mw.simulator.company.har had only 1 entry, which was a
www.google-analytics.com/g/collect call. No useful
mw.simulator.company API traffic was captured. Simulator-side
authenticated testing is not possible from the provided
HAR.
Notes for next phases
- Phase 4 (API testing) should cover: openapi.corezoid.com spec retrieval, corezoid.com/api direct probes, mw.simulator.company unauthenticated recon, apigw path exploration
- Phase 8 (VPN / edge) should include: openssh banner on OTHER subdomains (corezoid-ma.dev showed OpenSSH 8.7, check git.corezoid.com and others)
- Consider: cookie-domain attack surface — since
mwisDomain=.corezoid.com, any XSS found in any subdomain is a cookie-steal vector (though HttpOnly protects from JS access; server-side reflection is the risk)