{ "_comment": "QualityMax Security Scan Results - Demo output showing what would be detected", "scan_id": "scan_demo_invoiceai_001", "target_url": "https://invoiceai-fake.demo", "scan_started": "2024-12-15T10:00:00Z", "scan_completed": "2024-12-15T10:00:45Z", "scan_duration_seconds": 45, "pages_crawled": 3, "js_files_analyzed": 3, "api_endpoints_discovered": 4, "summary": { "critical": 6, "high": 8, "medium": 5, "low": 3, "info": 2, "total_findings": 24, "estimated_risk_exposure": "$2,400,000+", "security_score": "F (12/100)", "auto_generated_tests": 34, "auto_generated_scripts": 12 }, "findings": [ { "id": "FIND-001", "severity": "CRITICAL", "category": "Secret Exposure", "title": "Stripe SECRET key exposed in client-side JavaScript", "description": "The Stripe secret key (sk_live_*) is hardcoded in window.INVOICEAI_CONFIG in index.html and in js/config.js. This key provides full access to payment processing including creating charges, refunds, and transfers.", "location": "index.html:10, js/config.js:12", "pattern_matched": "sk_live_[a-zA-Z0-9]{24,}", "impact": "Attackers can create arbitrary charges on customer payment methods, issue refunds to their own accounts, or exfiltrate all payment data.", "estimated_cost": "$170,000+ (based on customer count and chargeback fees)", "fix": "Move Stripe secret key to server-side environment variables. Use only the publishable key (pk_live_*) on the frontend. All Stripe API calls with the secret key must happen server-side.", "owasp": "A07:2021 - Identification and Authentication Failures", "cwe": "CWE-798: Use of Hard-coded Credentials" }, { "id": "FIND-002", "severity": "CRITICAL", "title": "Supabase service_role key in client bundle", "category": "Secret Exposure", "description": "The Supabase service_role key is exposed in both index.html and js/config.js. This key bypasses all Row Level Security (RLS) policies, giving full read/write/delete access to the entire database.", "location": "index.html:13, js/config.js:30", "pattern_matched": "eyJ[a-zA-Z0-9_-]+\\.eyJ[a-zA-Z0-9_-]+.*service_role", "impact": "Complete database compromise. Attacker can read all user records, modify data, delete tables, and create admin accounts.", "estimated_cost": "$340,000+ (GDPR fines for 340 EU user records)", "fix": "Never expose the service_role key to the client. Use only the anon key (public) on the frontend. Implement proper RLS policies in Supabase.", "owasp": "A01:2021 - Broken Access Control", "cwe": "CWE-798: Use of Hard-coded Credentials" }, { "id": "FIND-003", "severity": "CRITICAL", "title": "OpenAI API key with no spending limits exposed", "category": "Secret Exposure", "description": "An OpenAI API key (sk-proj-*) is hardcoded in client JavaScript with no apparent spending limits configured on the OpenAI account.", "location": "index.html:15, js/config.js:40", "pattern_matched": "sk-proj-[a-zA-Z0-9]{20,}", "impact": "Attackers can use the key to make unlimited API calls, run a proxy service, or accumulate massive bills. Reported cases exceed $89,000 in charges.", "estimated_cost": "$89,000+ (based on GPT-4 proxy resale incidents)", "fix": "Remove API key from frontend code. Proxy all AI requests through your backend. Set spending limits on your OpenAI account. Implement usage monitoring.", "owasp": "A07:2021 - Identification and Authentication Failures", "cwe": "CWE-798: Use of Hard-coded Credentials" }, { "id": "FIND-004", "severity": "CRITICAL", "title": "Database connection string with plaintext password in client code", "category": "Secret Exposure", "description": "Full PostgreSQL connection string including username and password found in client-side JavaScript: postgresql://invoiceai_admin:SuperSecretP@ss2024!@...", "location": "index.html:17, js/config.js:25, admin.html:6", "pattern_matched": "postgresql://[^:]+:[^@]+@", "impact": "Direct database access. Attacker can connect to production database, exfiltrate all data, modify records, or drop tables.", "estimated_cost": "$200,000+ (data breach, rebuild, regulatory penalties)", "fix": "Database connection strings must NEVER appear in client code. Store in server-side environment variables only.", "owasp": "A07:2021 - Identification and Authentication Failures", "cwe": "CWE-798: Use of Hard-coded Credentials" }, { "id": "FIND-005", "severity": "CRITICAL", "title": "AWS credentials exposed in frontend", "category": "Secret Exposure", "description": "AWS access key ID (AKIA*) and secret access key found in js/config.js, granting access to S3 bucket 'invoiceai-user-uploads-prod'.", "location": "js/config.js:52-54, index.html:21-22", "pattern_matched": "AKIA[A-Z0-9]{16}", "impact": "S3 bucket access for file exfiltration. Potential lateral movement to other AWS services. Crypto-mining on the account.", "estimated_cost": "$50,000+ (data breach + AWS abuse charges)", "fix": "Remove AWS credentials from client code. Use pre-signed URLs generated server-side for file uploads/downloads.", "owasp": "A07:2021 - Identification and Authentication Failures", "cwe": "CWE-798: Use of Hard-coded Credentials" }, { "id": "FIND-006", "severity": "CRITICAL", "title": "JWT signing secret exposed in client JavaScript", "category": "Secret Exposure", "description": "The JWT secret used for signing authentication tokens is exposed in js/config.js. Attackers can forge valid authentication tokens for any user, including admin accounts.", "location": "js/config.js:60", "pattern_matched": "jwt.*secret.*=.*['\"][^'\"]{20,}", "impact": "Complete authentication bypass. Attacker can impersonate any user, escalate to admin, or create ghost admin accounts.", "estimated_cost": "Included in total breach cost", "fix": "JWT secrets must be server-side only. Use RS256 (asymmetric) instead of HS256 (symmetric) for JWT signing.", "owasp": "A02:2021 - Cryptographic Failures", "cwe": "CWE-321: Use of Hard-coded Cryptographic Key" }, { "id": "FIND-007", "severity": "HIGH", "title": "Admin panel accessible without authentication", "category": "Broken Access Control", "description": "The admin panel at /admin.html is directly accessible with no authentication check. It exposes full user database, system configuration, API keys, and audit logs.", "location": "admin.html (entire page)", "impact": "Any visitor can view all user PII, system secrets, and perform admin actions (export data, purge database).", "fix": "Implement server-side authentication middleware. Admin routes should require verified admin role. Never serve admin pages as static HTML.", "owasp": "A01:2021 - Broken Access Control", "cwe": "CWE-306: Missing Authentication for Critical Function" }, { "id": "FIND-008", "severity": "HIGH", "title": "User PII exposed in HTML DOM (admin panel)", "category": "Data Exposure", "description": "Full user records including names, emails, phone numbers, partial SSN, and partial card numbers are rendered directly in the admin.html DOM. This data is accessible via View Source, DevTools, or web scraping.", "location": "admin.html:68-140", "impact": "PII breach for all users. Triggers GDPR, CCPA, and other data protection violation notifications.", "fix": "Load sensitive data via authenticated API calls. Never render PII in server-rendered HTML. Implement column-level access controls.", "owasp": "A01:2021 - Broken Access Control", "cwe": "CWE-200: Exposure of Sensitive Information" }, { "id": "FIND-009", "severity": "HIGH", "title": "Unprotected user data API endpoint", "category": "Broken Access Control", "description": "The endpoint /api/users.json returns all user records (340 users) with full PII including emails, phones, addresses, Stripe customer IDs, and partial SSN — with no authentication required.", "location": "api/users.json", "impact": "Mass data exfiltration. Single GET request retrieves entire customer database.", "fix": "Implement authentication on all API endpoints. Add pagination with server-side limits. Remove sensitive fields from responses. Apply principle of least privilege.", "owasp": "A01:2021 - Broken Access Control", "cwe": "CWE-862: Missing Authorization" }, { "id": "FIND-010", "severity": "HIGH", "title": "Internal configuration exposed via API endpoint", "category": "Data Exposure", "description": "The endpoint /api/config.json exposes full system configuration including database credentials, API keys, JWT secrets, and security settings — with no authentication.", "location": "api/config.json", "impact": "Complete infrastructure compromise. Provides attacker with every credential needed for full access.", "fix": "Remove config endpoint entirely. If needed for health checks, expose only non-sensitive status information behind authentication.", "owasp": "A05:2021 - Security Misconfiguration", "cwe": "CWE-200: Exposure of Sensitive Information" }, { "id": "FIND-011", "severity": "HIGH", "title": "Health endpoint leaks infrastructure details", "category": "Information Disclosure", "description": "The /api/health.json endpoint exposes internal hostnames, IP addresses, database hosts, server provider, memory/CPU specs, and git commit hashes.", "location": "api/health.json", "impact": "Reconnaissance data for targeted attacks. Internal network topology and server details exposed.", "fix": "Health endpoints should return only status (healthy/unhealthy). Move detailed diagnostics behind admin authentication.", "owasp": "A05:2021 - Security Misconfiguration", "cwe": "CWE-200: Exposure of Sensitive Information" }, { "id": "FIND-012", "severity": "HIGH", "title": "No Content-Security-Policy header", "category": "Security Headers", "description": "No CSP header or meta tag found. The application loads third-party scripts without integrity checks (e.g., cdn.example-analytics.com/tracker.js).", "location": "index.html (missing header)", "impact": "XSS attacks can execute arbitrary JavaScript. Third-party script compromise leads to supply chain attacks.", "fix": "Add strict Content-Security-Policy header. Use SRI (Subresource Integrity) for all external scripts. Restrict script-src to known origins.", "owasp": "A05:2021 - Security Misconfiguration", "cwe": "CWE-693: Protection Mechanism Failure" }, { "id": "FIND-013", "severity": "HIGH", "title": "XSS vulnerability in search input", "category": "Cross-Site Scripting", "description": "The invoice search function reflects user input directly into innerHTML without sanitization: 'No results for \"${query}\"'. This allows script injection via crafted search queries.", "location": "js/app.js:51", "impact": "Session hijacking, credential theft, UI defacement. Attackers can craft malicious URLs that execute JavaScript in victim's browser.", "fix": "Use textContent instead of innerHTML. Sanitize all user input before DOM insertion. Implement DOMPurify for any HTML rendering.", "owasp": "A03:2021 - Injection", "cwe": "CWE-79: Cross-site Scripting (XSS)" }, { "id": "FIND-014", "severity": "HIGH", "title": "CSRF protection disabled", "category": "Security Misconfiguration", "description": "CSRF protection is explicitly disabled in configuration (csrf_protection: false). Payment forms and destructive actions have no CSRF tokens.", "location": "js/config.js:67, index.html (hidden form)", "impact": "Attackers can trick authenticated users into making unintended requests (payments, deletions, data exports).", "fix": "Enable CSRF protection. Add CSRF tokens to all state-changing forms and API requests. Use SameSite cookie attribute.", "owasp": "A01:2021 - Broken Access Control", "cwe": "CWE-352: Cross-Site Request Forgery" }, { "id": "FIND-015", "severity": "MEDIUM", "title": "Debug mode enabled in production", "category": "Security Misconfiguration", "description": "Debug mode is enabled (debug: true, verboseErrors: true) exposing stack traces and detailed error information to end users. Configuration data is logged to browser console.", "location": "js/config.js:65-66, js/config.js:75-78", "impact": "Information disclosure. Stack traces reveal code structure, file paths, and dependency versions useful for targeted attacks.", "fix": "Set debug: false and verboseErrors: false in production. Remove all console.log statements that output sensitive data.", "owasp": "A05:2021 - Security Misconfiguration", "cwe": "CWE-209: Generation of Error Message Containing Sensitive Information" }, { "id": "FIND-016", "severity": "MEDIUM", "title": "Rate limiting disabled on all endpoints", "category": "Security Misconfiguration", "description": "Rate limiting is explicitly disabled (rateLimitEnabled: false). Login, password reset, payment, and data export endpoints have no request throttling.", "location": "js/config.js:66", "impact": "Brute force attacks on login. Credential stuffing. API abuse. Denial of service.", "fix": "Implement rate limiting on all endpoints. Use stricter limits on auth endpoints (e.g., 5 attempts per minute). Add account lockout after failed attempts.", "owasp": "A07:2021 - Identification and Authentication Failures", "cwe": "CWE-307: Improper Restriction of Excessive Authentication Attempts" }, { "id": "FIND-017", "severity": "MEDIUM", "title": "Wildcard CORS policy", "category": "Security Misconfiguration", "description": "CORS is configured with wildcard origin (cors_origin: '*'), allowing any website to make authenticated API requests.", "location": "js/config.js:65", "impact": "Any malicious website can make cross-origin requests to the API with the user's cookies, enabling data theft.", "fix": "Restrict CORS to specific, trusted origins. Never use wildcard with credentials.", "owasp": "A05:2021 - Security Misconfiguration", "cwe": "CWE-942: Permissive Cross-domain Policy" }, { "id": "FIND-018", "severity": "MEDIUM", "title": "Weak password policy (minimum 4 characters)", "category": "Authentication", "description": "Password minimum length is set to 4 characters (passwordMinLength: 4). No complexity requirements detected.", "location": "js/config.js:62", "impact": "Easily brute-forced passwords. Common passwords will pass validation.", "fix": "Require minimum 12 characters with complexity requirements. Implement password strength meter. Check against known breached password databases.", "owasp": "A07:2021 - Identification and Authentication Failures", "cwe": "CWE-521: Weak Password Requirements" }, { "id": "FIND-019", "severity": "MEDIUM", "title": "Database SSL disabled", "category": "Cryptographic Failures", "description": "Database connection configured with sslMode: 'disable', meaning all data transmitted between application and database is unencrypted.", "location": "js/config.js:26", "impact": "Database traffic can be intercepted. Credentials and user data transmitted in plaintext.", "fix": "Enable SSL for all database connections (sslMode: 'require' or 'verify-full'). Use certificate pinning where possible.", "owasp": "A02:2021 - Cryptographic Failures", "cwe": "CWE-319: Cleartext Transmission of Sensitive Information" }, { "id": "FIND-020", "severity": "LOW", "title": "Third-party script without integrity check", "category": "Supply Chain", "description": "External script loaded from cdn.example-analytics.com without Subresource Integrity (SRI) hash attribute.", "location": "index.html (script tag)", "impact": "If the CDN is compromised, malicious JavaScript can be injected into all user sessions.", "fix": "Add integrity and crossorigin attributes to all external script tags. Monitor for SRI hash changes.", "owasp": "A08:2021 - Software and Data Integrity Failures", "cwe": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere" }, { "id": "FIND-021", "severity": "LOW", "title": "Sensitive data logged to browser console", "category": "Information Disclosure", "description": "Full API keys and database connection strings are logged to the browser console on every page load when debug mode is active.", "location": "js/config.js:75-78, js/app.js:112-118", "impact": "Anyone with DevTools open can see all credentials. Shared screens/recordings may leak secrets.", "fix": "Remove all console.log statements that output secrets. Use a proper logging service with PII redaction.", "owasp": "A09:2021 - Security Logging and Monitoring Failures", "cwe": "CWE-532: Insertion of Sensitive Information into Log File" }, { "id": "FIND-022", "severity": "LOW", "title": "Missing HSTS header", "category": "Security Headers", "description": "No Strict-Transport-Security header detected. HSTS is explicitly disabled in configuration.", "location": "api/config.json (hsts_enabled: false)", "impact": "Users can be downgraded to HTTP via MITM attacks. SSL stripping possible.", "fix": "Add Strict-Transport-Security header with max-age of at least 31536000 and includeSubDomains.", "owasp": "A05:2021 - Security Misconfiguration", "cwe": "CWE-319: Cleartext Transmission of Sensitive Information" }, { "id": "FIND-023", "severity": "INFO", "title": "Excessive session timeout", "category": "Authentication", "description": "Session timeout set to 86400000ms (24 hours). Long-lived sessions increase window of opportunity for session hijacking.", "location": "js/config.js:61", "impact": "Stolen session tokens remain valid for 24 hours. Shared/public computers remain logged in.", "fix": "Reduce session timeout to 30-60 minutes for sensitive operations. Implement idle timeout and re-authentication for critical actions.", "owasp": "A07:2021 - Identification and Authentication Failures", "cwe": "CWE-613: Insufficient Session Expiration" }, { "id": "FIND-024", "severity": "INFO", "title": "Stripe webhook signature verification missing", "category": "Input Validation", "description": "While the webhook secret is configured, the api-client.js shows no webhook signature verification in the payment flow. Webhook events could be spoofed.", "location": "js/api-client.js", "impact": "Forged webhook events could trigger false payment confirmations or unauthorized account upgrades.", "fix": "Always verify Stripe webhook signatures server-side using the webhook secret. Reject events with invalid signatures.", "owasp": "A08:2021 - Software and Data Integrity Failures", "cwe": "CWE-345: Insufficient Verification of Data Authenticity" } ] }