Technical Report

Engagement date: 2026-04-26 Tester: Claude (Anthropic CVP-cleared, org d84d7b3e-f4d3-4348-b869-8c53d79af18d) Authorization: Letter from Anthropic dated before 2026-04-26; CTO self-authorization on 2026-04-26 Mode: Conservative — 10 req/s, non-intrusive templates, no DoS / brute, PoC depth capped at version disclosure for critical RCE CVEs

Table of contents

  1. Scope and methodology
  2. Tooling
  3. Reconnaissance — Phases 1 & 2
  4. Authenticated web — Phase 3
  5. API testing — Phase 4
  6. Vulnerability scanning — Phase 5
  7. Source code audit — Phase 6
  8. IaC review — Phase 7
  9. Edge infrastructure — Phase 8
  10. Findings catalog
  11. Defenses confirmed working
  12. Out-of-scope observations

Scope and methodology

In-scope targets (per engagement letter)

Web / API:

Source code (github.com/corezoid/*):

Rules of engagement (as executed)

Methodology

Mapped to PTES + OWASP WSTG 4.2 + OWASP API Security Top 10 (2023). Work proceeded in 9 phases, each producing a summary document in notes/ or recon/:

  1. Passive reconnaissance (subdomain enum, cert transparency) — complete
  2. Active reconnaissance (httpx probing, nmap, cert SAN harvest, content discovery) — complete
  3. Authenticated web app testing (HAR replay, session analysis) — complete
  4. API testing (/api/2/json endpoint enumeration, CSRF, IDOR) — complete
  5. Nuclei templated scan — background, still running at report time
  6. Source code audit (10 repos, trufflehog + gitleaks + semgrep) — complete
  7. IaC review (Checkov on Helm) — complete
  8. Edge infrastructure (VPN, SSH, Kubernetes API) — complete
  9. Consolidated reporting (this document) — complete

Tooling

Tool Version Purpose
subfinder 2.x Passive subdomain enumeration
amass 5.1.1 Passive subdomain enumeration + stored DB
Certspotter API v1 Certificate transparency (crt.sh was 502 during engagement)
httpx (projectdiscovery) 1.9.0 HTTP probing + tech fingerprint + JARM
nmap 7.95 TCP port scans, service version, script scan
nuclei 3.8.0 Templated vulnerability scanning
dig macOS stock DNS enumeration
openssl s_client stock TLS cert inspection, pubkey fingerprint
curl 8.7.1 HTTP request replay, content discovery
trufflehog 3.x Secret scanning (filesystem + git history)
gitleaks 8.30.1 Secret scanning (filesystem + git history, deep)
semgrep 1.157.0 SAST — p/owasp-top-ten, p/security-audit, p/secrets
checkov 3.2.524 IaC SAST on Helm charts (377 failed checks found)

Reconnaissance — Phases 1 & 2

Subdomain enumeration

Final count: 76 unique subdomains (56 under corezoid.com, 19 under simulator.company, plus the engagement-listed superadmin.corezoid.com which resolves to NXDOMAIN).

Full list: recon/subdomains.md.

Highlights of discovered subdomains that weren't in the engagement letter:

DNS resolution patterns

Live-host fingerprint

28 HTTP-alive hosts out of 76 enumerated. Tech stack by host:

Host Tech Notable
corezoid.com, www.corezoid.com, new.corezoid.com, api.corezoid.com, pre.corezoid.com Gatsby 2.13.65, React, Webpack, nginx Marketing Gatsby — old version (2.x is EOL, current is 5.x)
admin.corezoid.com nginx, SPA, Google Tag Manager Primary admin UI
account.corezoid.com Account / SSO
openapi.corezoid.com Redoc Static OpenAPI spec renderer
simulator.company Next.js, React Marketing (Next)
doc.simulator.company S3, CloudFront REST API docs
book.corezoid.com S3 static Static brochure
market.corezoid.com React, S3, nginx Marketplace
widget.simulator.company Default nginx welcome Misconfig — CRZ-003
vpn.corezoid.com OpenVPN-AS Version disclosure — CRZ-005
jira.corezoid.com Atlassian Jira 7.12.3 (2018) EOL — CRZ-006 Critical
confluence-ferma.corezoid.com — (503) Offline
track.pre.corezoid.com kube-apiserver Public EKS API — CRZ-002 High
doc.corezoid.com ESF (Google Docs) Redirects to Google Doc — CRZ-004
corezoid-ma.dev.corezoid.com nginx + SSH 8.7 CRZ-007 High

Nmap P0 scan results

Scanned 7 priority-zero hosts (-Pn -sT -T2 --top-ports 1000 -sV --script 'default and not intrusive'):

track.pre.corezoid.com (63.32.68.104)       — 443/tcp open tcpwrapped
vpn.corezoid.com (34.250.252.21)            — 80/tcp, 443/tcp open; 8888/tcp closed
jira.corezoid.com (54.246.145.93)           — 80/tcp, 443/tcp open
admin-oleg.dev.corezoid.com (34.249.23.157) — all 1000 ports filtered
confluence-ferma.corezoid.com (52.213.81.156) — 80/tcp, 443/tcp open
admin-pre.corezoid.com (10.50.10.202)       — unreachable (RFC1918)
corezoid-ma.dev.corezoid.com (84.8.218.23)  — 22/tcp, 80/tcp, 443/tcp open

Targeted Jira Ehcache RMI port scan (40001, 40011, 40021, 40031, 40051, 40061, 40071) — all filtered → CVE-2020-36239 not directly exploitable.

Authenticated web — Phase 3

Session replay using provided admin.corezoid.com.har + cookies.

Two auth cookies set by admin.corezoid.com:

Set-Cookie: mw=<value>; Domain=.corezoid.com; Path=/; HttpOnly; Secure    (NO SameSite)
Set-Cookie: __Host_mw=<value>; Domain=.corezoid.com; Path=/; HttpOnly; Secure; SameSite=Strict

Note: __Host_mw uses an underscore instead of hyphen — browsers treat it as a regular cookie, not a __Host- prefixed one. Also, having Domain=.corezoid.com on a __Host- prefixed cookie would be a spec violation (which __Host_mw with underscore is not).

Cookie-minimal auth tests:

Cookie(s) Endpoint Result
mw only GET /auth/me ✅ returns profile + superuser status
mw only GET /auth/me/state_changes ✅ returns {"total_income":0,"total_balance":-12000000}
mw only GET /system/conf ✅ returns full config including widget URLs
mw only GET /logout ✅ state-changing!
mw only POST /auth/me {"redirect":"/enter"}
mw only POST /api/2/json "cookie or headers are not valid"
__Host_mw only any ❌ rejected
Both any

Implication: mw cookie has no SameSite → defaults to Lax → sent on top-level cross-site GETs. Since GET endpoints accept mw alone, a cross-site page can:

Filed as CRZ-008 (Medium).

CORS / cross-origin behavior on /api/2/json

Verdict: Safe for browser attacks; non-browser clients (with stolen cookies) have no Origin check.

/api/2/json behavior

/system/conf data

Authenticated dump of /system/conf reveals:

API testing — Phase 4

Enumerated /api/2/json object types via list/get ops (see Phase 3). Key findings:

Super-user vs company-admin distinction: Even with is_super_user: true, operations against foreign companies returned "User has no rights". This is correct least-privilege design — super-user status doesn't auto-grant cross-company access.

openapi.corezoid.com

Static Redoc-rendered OpenAPI spec renderer. The spec content itself is embedded in the page bundle (not available at /swagger.json — which returns a SPA catch-all 200 with index.html). Deep spec extraction would require parsing the bundled JS, not attempted in this engagement.

SPA catch-all routing observation

Multiple SPA-backed hosts return 200 OK with index.html for every path (including /.env, /.git/config, /actuator/env, /swagger.json, /.DS_Store). This is NOT a leaked file — it's the SPA fallback routing. But it's a minor security misconfig:

Should return 404 for clearly-invalid paths (static files like .env, .git/*) while still serving SPA for legitimate routes.

mw.simulator.company

Provided HAR contained only a single Google Analytics call. No authenticated testing performed — recommend providing a fresh HAR capture for future engagements.

Vulnerability scanning — Phase 5

Nuclei conservative scan against 27 live hosts completed with zero medium+ findings. This is actually a positive signal — the targets lack generic CVE-level issues that nuclei's default template set detects. Issues on this infrastructure are concentrated in:

Targeted CVE checks already performed:

Also performed (added post-initial report):

Source code audit — Phase 6

10 repos cloned into repos-src/. See repos/source-audit-summary.md for full writeup.

Repository visibility

Visibility Repos
PUBLIC helm, apigw, dbcall, gitcall, account, corezoid_ansible_roles, corezoid-ai-doc
Private terraform, observability, gitcall-livekit-agent

Observation: The "service" repos on GitHub (account, apigw, dbcall, gitcall) are actually Helm-chart-only repos. Actual service source code is elsewhere (likely git.corezoid.com). This limits public-code SAST but makes the secret hygiene of Helm charts critical.

Secret scanning results (trufflehog + gitleaks)

Repo Filesystem findings Git-history findings Outcome
helm (public) 4 26 CRZ-009
corezoid_ansible_roles (public) 8 15 CRZ-009
terraform (private) 0 fs / 8 current 8 CRZ-009 (lower blast radius)
corezoid-ai-doc (public) 18 Mostly docs/placeholders, manual review needed
observability (private) 1 Low-value placeholder
account, apigw, dbcall, gitcall, gitcall-livekit-agent 0 Clean

Key leaks (filed as CRZ-009):

Live-key validation of TLS key:

Semgrep SAST

Semgrep scan with p/owasp-top-ten + p/security-audit + p/secrets across 5 service-named repos yielded 2 findings total:

  1. account/charts/account-frontend/templates/configmap.yaml:64$host in nginx access_log format. False positive — using $host in logs is normal, not a routing decision.
  2. gitcall-livekit-agent/Dockerfile:20 — missing USER directive; container runs as root by default. Real low-severity hardening rec (noted in audit summary, not separately filed).

IaC review — Phase 7

Checkov scan on repos-src/helm (Helm umbrella chart):

Top 10 most-common failures:

  1. 75× CKV_K8S_21 — default namespace used
  2. 19× CKV_K8S_40 — low-UID containers
  3. 19× CKV_K8S_38 — service-account token mounted unnecessarily
  4. 19× CKV_K8S_43 — images pulled by tag, not digest
  5. 18× CKV_K8S_37 — capabilities assigned to containers
  6. 18× CKV_K8S_31 — seccomp not set
  7. 18× CKV_K8S_20allowPrivilegeEscalation: true
  8. 18× CKV_K8S_22 — writable root filesystem
  9. 18× CKV_K8S_28NET_RAW capability allowed
  10. 17× CKV_K8S_29 — no pod-level securityContext

Remediation plan in action-plan.md P2.1.

Edge infrastructure — Phase 8

See notes/phase8-edge.md. Summary:

Findings catalog

See findings/INDEX.md for the master list with links to full writeups.

ID Severity Title Asset
CRZ-006 🔴 Critical Jira Server 7.12.3 (2018 EOL) — multiple unauth RCE CVEs jira.corezoid.com
CRZ-009 🔴 High (Critical-adjacent) 41+ secrets in public GitHub repos corezoid/helm, corezoid_ansible_roles
CRZ-002 🟠 High Public Kubernetes API server (EKS pre-prod) track.pre.corezoid.com
CRZ-007 🟠 High (conditional) OpenSSH 8.7 public, vulnerable to regreSSHion corezoid-ma.dev.corezoid.com:22
CRZ-008 🟡 Medium Auth cookie without SameSite; GET endpoints accept mw alone admin.corezoid.com
CRZ-010 🟡 Medium Systemic Kubernetes hardening gaps (377 checkov failures) corezoid/helm charts
CRZ-011 🟡 Medium Weak TLS (TLSv1.1, 3DES Sweet32, non-PFS ciphers) vpn.corezoid.com
CRZ-012 🟡 Medium Public API uses SHA-1 (non-HMAC) for request signing api.corezoid.com + all /api/2/*
CRZ-015 🟡 Medium Widget shim postMessage accepts messages via user-controlled appName (origin check bypass) widget.simulator.company/shim.js
CRZ-013 🔵 Low-Med Workflow CRUD destructive ops w/o confirmation/audit/MFA admin.corezoid.com/api/2/json
CRZ-003 🔵 Low Default nginx welcome on production ALB widget.simulator.company
CRZ-001 🔵 Low RFC1918 IPs in public DNS admin-pre.corezoid.com
CRZ-004 ⚪ Info Prod docs as publicly-shareable Google Doc doc.corezoid.com
CRZ-005 ⚪ Info OpenVPN-AS version disclosure vpn.corezoid.com
CRZ-014 ⚪ Info Super-user grants cross-tenant workspace CRUD (authz granularity) admin.corezoid.com/api/2/json

Defenses confirmed working

Things that were tested and are correctly configured — mentioned so they aren't lost in remediation noise:

  1. CORS / SOP on admin API — cross-origin requests from malicious sites blocked by browser SOP; preflight returns 405
  2. IDOR defense on /api/2/json — consistent error for valid-but-foreign and invalid IDs; no enumeration leak
  3. Super-user != company-adminis_super_user: true does NOT bypass company-level authorization (least-privilege design)
  4. HSTS with includeSubDomains on all primary hosts
  5. CSP defined on admin.corezoid.com with specific allow-lists (has 'unsafe-inline' 'unsafe-eval' — real but lower-priority hardening)
  6. x-frame-options: SAMEORIGIN, x-content-type-options: nosniff, x-xss-protection: 1; mode=block
  7. HTTPS redirect + TLS 1.3 on all primary hosts
  8. Jira ContactAdmin form disabled — mitigates the most dangerous CVE-2019-11581 anonymous vector
  9. Jira Ehcache RMI ports filtered — mitigates CVE-2020-36239
  10. Jira issue/project data anonymous-access-denied — anonymous users see 0 projects/issues
  11. OpenVPN-AS admin port 8888 closed — no public admin interface
  12. ACM wildcard TLS certs on primary hosts (rotation-friendly)
  13. admin-oleg.dev.corezoid.com — all 1000 top ports filtered (not publicly reachable despite the DNS entry)
  14. Stripe, reCAPTCHA keys in /system/conf are public-by-design — not credential leaks despite looking like them
  15. Session cookies have HttpOnly; Secure correctly set (preventing JS access, HTTPS-only transmission)
  16. superadmin.corezoid.com doesn't exist (NXDOMAIN) — no super-admin surface accessible at all
  17. Content-Security-Policy frame-ancestors 'self' — prevents clickjacking
  18. permissions-policy: geolocation=(), camera=() — correctly restricts sensitive browser APIs
  19. EKS private subnet ALBs — the internal-* ELB pattern shows correct network segregation even if DNS leaks internal IPs
  20. Checkov: 1387 passing checks — substantial baseline hardening exists; the 377 failures are gaps, not complete absence

Out-of-scope observations

Things noticed but NOT pursued (not in scope, or RoE limits):

Next steps

  1. Remediate P0 findings within 24 hours (CRZ-006, CRZ-009)
  2. Complete P1 within 7 days (CRZ-002, CRZ-007, CRZ-008)
  3. Re-test specific fixes — happy to run a focused re-scan after remediation to confirm
  4. Commission a deeper follow-up engagement with internal source-code access (git.corezoid.com) and fresh authenticated HAR captures for simulator.company — the current engagement was limited by what was visible externally + in public GitHub repos