cd ../projects

Web App Red Team

Simulated Adversary Engagement

OWASP ASVS v4.0Burp Suite ProCustom Python ToolingNext.js & FastAPI Targets

1. Executive Summary

Engagement Overview

Between March 1 and March 29, 2024, our security team conducted a comprehensive grey-box penetration test against the PlanMaestro ecosystem. The scope included the APEX AI SaaS platform, the Tools Platform (Next.js/FastAPI), the PDF Generator microservice, and the underlying API infrastructure.

The primary objective was to evaluate the resilience of the ecosystem's access controls, session management, and input validation mechanisms under strict gray-box conditions. We operated with the mindset of an authenticated adversary attempting vertical and horizontal privilege escalation.

Security Posture Assessment

The overall security posture of the PlanMaestro ecosystem is MATURING. The application demonstrates strong baseline security controls, including excellent Next.js security headers (A+ on Mozilla Observatory), solid password hashing implementations, and comprehensive HTTPS enforcement.

However, the assessment revealed significant gaps in Authorization (Access Control) and Session Management, leading directly to the highest severity findings. Specifically, the absence of resource-level authorization checks on certain API endpoints (IDOR vulnerabilities) presents the most immediate risk to data confidentiality and integrity.

Strategic Recommendations

  • Implement Centralized Authorization: Move away from endpoint-specific permission checks and implement a centralized authorization matrix (e.g., using middleware or Guards in FastAPI/Next.js) that validates resource ownership on every request.
  • Enhance Session Lifecycle Management: Implement absolute session timeouts and ensure all access tokens are invalidated upon logout or password changes to prevent session fixation and token replay attacks.
  • Automate Security Scanning: Integrate dynamic application security testing (DAST) into the CI/CD pipeline to catch basic injection and misconfiguration issues prior to deployment.

2. Methodology & Attack Surface

Phased Approach

  1. 01.
    ReconnaissanceDNS enumeration, tech fingerprinting, and active spidering via Burp Suite.
  2. 02.
    DiscoveryFuzzing OAuth flows, JWT entropy analysis, and robust injection testing (SQLi, SSTI, XSS).
  3. 03.
    ExploitationChaining IDOR flaws to achieve Full Account Takeover (ATO) and leveraging Python for automated token manipulation.
  4. 04.
    RemediationDrafting exact code-level patches (FastAPI dependency overrides and Next.js strict headers).

Custom Tooling Developed

  • idor-scanner.py
    Automated auth boundary enumerator
  • recon-passive.py
    Cert Transparency log scrapper
  • csp-analyzer.py
    Strict header and CSP directive linter
$ python idor-scanner.py --base-url api.tools.planmaestro.local --wordlist endpoints.txt

3. Vulnerability Metrics

4
Critical
7
High
8
Medium
7
Low/Info

[FINDING-002] Insecure Direct Object Reference (IDOR) on User API

CVSS 3.1: 9.1 • CWE-639 • OWASP A01:2021

Remediated

Impact: Allowed any authenticated user to modify the profile data and system roles of any other user—including administrators—by altering the UUID parameter in PUT requests.

Fix: Implemented a FastAPI Depends middleware to explicitly check resource ownership against the JWT sub claim before database commits.

[FINDING-005] Server-Side Template Injection (SSTI)

CVSS 3.1: 10.0 • CWE-1336 • OWASP A03:2021

Remediated

Impact: The PDF Generator microservice passed unfiltered user input directly to the Handlebars compilation engine, enabling Remote Code Execution (RCE) on the Docker container via Node.js global objects.

Fix: Disabled strict allowedProtoMethods in the Handlebars compiler and sandboxed template execution inside an isolated vm2 context.

[FINDING-001] CSRF Token Validation Bypass

CVSS 3.1: 8.1 • CWE-352 • OWASP A01:2021

Remediated

Impact: Forced authenticated users to perform unwanted actions (like changing their recovery email) via malicious third-party sites by omitting the CSRF token header completely.

Fix: Enforced strict presence-checks for CSRF tokens prior to validation within the API gateway.

[FINDING-003] Stored Cross-Site Scripting (XSS) in Comment Threads

CVSS 3.1: 8.0 • CWE-79 • OWASP A03:2021

Remediated

Impact: Allowed execution of arbitrary JavaScript in the browsers of victim users who viewed collaborative workspace comments, leading to potential session hijacking.

Fix: Implemented strict HTML entity encoding on output rendering using DOMPurify in the React frontend components.

[FINDING-004] Session Fixation during OAuth Login Flow

CVSS 3.1: 6.8 • CWE-384 • OWASP A07:2021

In Progress

Impact: The application did not issue a new session identifier upon successful authentication. An attacker who could force a victim to use a known session ID could subsequently hijack their session post-login.

Fix: Requires refactoring of the NextAuth session lifecycle implementation to forcefully rotate the session token upon every successful OAuth callback.

100% Critical Vulnerabilities Remediated

The engineering team resolved all high-severity findings within a two-week SLA. Automated regression testing was introduced in the CI pipeline to prevent future regressions.

View Final Report Payload