This assessment identified 24 security findings across demo.example-agency.com, including 3 critical and 6 high-severity issues that require immediate attention. In addition to automated recon and misconfiguration checks, Advanced AI Pen Test Results validated exploitable business-logic and access-control weaknesses. WAF efficacy testing showed baseline commodity payload blocking, but also highlighted bypassable request patterns that still reached application logic. Cloud posture checks (AWS) further identified identity and key-management risks that increase blast radius if the web tier is breached. Immediate remediation of critical and high findings is strongly recommended.
Key Risks
- Exposed .git directory — full source code and credentials downloadable
- Advanced AI Pen Test Results: IDOR in invoice download endpoint enables cross-tenant data access
- WAF bypassable JSON payload patterns reached backend validation paths
- MySQL (3306) and Redis (6379) directly accessible from the internet
- WordPress admin panel (wp-login.php) exposed with no rate limiting
- AWS IAM user with long-lived access key and broad role assumption path
Positive Findings
- HTTP to HTTPS redirect correctly configured
- WAF detected and blocks baseline commodity payloads
- SPF record properly configured for email authentication
- Referrer-Policy set to strict-origin-when-cross-origin
- All cookies marked HttpOnly and Secure
- Cloud posture scanning enabled (Prowler)
Methodology & Tooling
Automated checks combine reconnaissance, fingerprinting, and configuration analysis to surface high‑signal issues quickly.
- Nuclei — template-based vulnerability checks
- Nmap — open ports and service detection
- Subfinder — subdomain enumeration
- httpx — HTTP probing and tech detection
- dnsx — DNS resolution
- WhatWeb — web stack identification
- Nikto — web server misconfiguration checks
- testssl.sh — TLS configuration analysis
- Mozilla HTTP Observatory — security header grading
- ffuf — directory and file bruteforcing
- Katana — web crawling and endpoint discovery
- gau — historical URL discovery
- Dalfox — XSS vulnerability scanning
- retire.js — JavaScript library CVE scanning
- WAF efficacy testing — fingerprinting and safe active probes
- Prowler — AWS cloud posture checks
- ShieldReport Advanced AI Pen Test Results
Vulnerability Assessment
CVE detection, misconfiguration checks, and exposed service identification powered by Nuclei.
The /.git/config file is publicly accessible, which means the entire Git repository — including source code, commit history, configuration files, and potentially hardcoded credentials — can be reconstructed by an attacker using tools like git-dumper.
Impact
An attacker can download the full source code, extract database credentials, API keys, and secret tokens from the commit history, and use this information to fully compromise the application and its backend infrastructure.
Evidence
Template: git-config
Matched at: https://demo.example-agency.com/.git/config
Matcher: body contains [core]
Extracted: [core]\n\trepositoryformatversion = 0\n\tfilemode = true\n\tbare = false\n[remote "origin"]\n\turl = [email protected]:example-agency/website.gitRemediation
Block access to the .git directory immediately. Rotate all credentials found in the repository history.
- Block access to .git in your web server configuration immediately.
- Audit the full Git history for secrets: database passwords, API keys, .env files. Rotate every credential found.
- Ensure your deployment process does not copy the .git directory to production servers.
Platform-Specific Fix
location ~ /\.git {
deny all;
return 404;
}Open Ports & Services
Network port scanning to identify exposed services and their versions.
MySQL (port 3306) is directly accessible from the internet. Exposed database ports are a leading cause of data breaches — attackers can attempt brute-force authentication, exploit known MySQL vulnerabilities, or access data if default or weak credentials are in use.
Impact
Port 3306 (mysql / MySQL 8.0.35) is accessible from the internet. Exposed database server may allow direct SQL access, data exfiltration, or complete database takeover.
Evidence
Port: 3306/tcp
State: open
Service: mysql
Product: MySQL
Version: 8.0.35Remediation
Restrict access to port 3306 using firewall rules. This service should not be directly exposed to the internet.
- Add a firewall rule to block external access to port 3306.
- If remote database access is needed, restrict to specific IP addresses or use SSH tunnelling / VPN.
- Audit MySQL user accounts and remove any accounts with wildcard host (%) access.
Platform-Specific Fix
sudo ufw deny 3306/tcpReferences
Attack Surface
Subdomain enumeration and external asset discovery to map your exposure.
Subdomains with names suggesting development, staging, or administrative purposes were found. These often have weaker security controls than production systems.
Impact
Development and staging environments frequently contain debug endpoints, default credentials, or unpatched software. Attackers routinely enumerate subdomains to find these weak points.
Evidence
staging.demo.example-agency.com
dev.demo.example-agency.com
admin.demo.example-agency.comRemediation
Review all discovered subdomains. Remove DNS records for decommissioned services. Ensure non-production environments are access-restricted.
- Audit each subdomain — is it still needed? Remove DNS records for defunct services.
- Restrict access to development/staging environments using IP allowlists or VPN.
- Ensure non-production environments do not contain real customer data.
Technology Stack
Identified technologies, frameworks, and platforms with known security considerations.
WordPress is the most targeted CMS. Ensure core, themes, and plugins are updated. Disable XML-RPC if not needed.
Impact
WordPress requires active security maintenance. Unpatched installations are frequently exploited.
Evidence
Technology: WordPress 5.9
Web Server: nginx/1.24.0
CDN: CloudflareRemediation
Update WordPress to the latest version (6.x), update all plugins and themes, and disable XML-RPC if not needed.
- Update WordPress core, all plugins, and all themes to the latest versions.
wp core update && wp plugin update --all && wp theme update --all - Disable XML-RPC if not needed for remote publishing or Jetpack.
- Enable automatic security updates for WordPress core and plugins.
Platform-Specific Fix
# Block XML-RPC
location = /xmlrpc.php {
deny all;
return 404;
}HTTP Security Headers
Analysis of HTTP response headers that control browser security behaviour.
The server does not return a Content-Security-Policy response header. CSP is a critical defence-in-depth mechanism that mitigates cross-site scripting (XSS) and data injection attacks by restricting which resources the browser is permitted to load.
Impact
Without CSP, if an attacker finds any HTML injection or XSS vulnerability, they can load arbitrary scripts, exfiltrate data, and fully compromise the user session. CSP acts as a safety net even when other defences fail.
Evidence
HTTP/1.1 200 OK
Server: nginx/1.24.0
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=2592000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
# Content-Security-Policy: NOT PRESENTRemediation
Add a Content-Security-Policy header to all responses. Start with a restrictive policy and relax as needed.
- Add the following header to your web server configuration. This is a strict starting policy — adjust the directives if your application requires external resources.
- Test the policy using Content-Security-Policy-Report-Only first to identify any blocked resources before enforcing.
- Monitor CSP violation reports to catch any issues in production.
Platform-Specific Fix
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;TLS/SSL Configuration
Assessment of transport layer encryption and certificate health.
The TLS certificate for demo.example-agency.com expires on 2026-02-27, which is 21 days from now. If the certificate is not renewed, browsers will display security warnings and block access.
Impact
An expired certificate will cause browsers to show a full-page warning, effectively making your site inaccessible to most users. Search engine rankings will also be negatively affected.
Evidence
Subject: CN=demo.example-agency.com
Issuer: Let's Encrypt Authority X3
Not Before: 2025-11-29T12:00:00Z
Not After: 2026-02-27T12:00:00Z
Days Until Expiry: 21Remediation
Ensure your TLS certificate auto-renewal is configured and working. Test with a dry-run.
- Check your certificate auto-renewal configuration.
sudo certbot renew --dry-run - If using Let's Encrypt, ensure the certbot timer/cron is active.
sudo systemctl status certbot.timer
References
Information Disclosure
Checks for unintended exposure of server or application details.
The Server response header reveals the software name and version: nginx/1.24.0. This information helps attackers identify known vulnerabilities for the specific version and tailor their attacks accordingly.
Impact
Knowing the exact server version allows attackers to search for known CVEs and use targeted exploits. This is a reconnaissance advantage that should be denied.
Evidence
Server: nginx/1.24.0Remediation
Remove or obscure the server version from HTTP response headers.
- Disable server version disclosure in your web server configuration.
server_tokens off;
Platform-Specific Fix
server_tokens off;References
Cookie Security
Analysis of cookie attributes and session management flags.
The session cookie 'session_id' does not explicitly set the SameSite attribute. While modern browsers default to Lax, explicitly setting this prevents cross-site request forgery in older browsers and documents your security intent.
Impact
In older browsers that do not default to SameSite=Lax, the cookie will be sent with cross-site requests, enabling potential CSRF attacks.
Evidence
Set-Cookie: session_id=abc123; Path=/; HttpOnly; Secure
# SameSite attribute: NOT SET (browser defaults to Lax)Remediation
Add SameSite=Lax (or Strict) to all cookies.
- Update your application's cookie configuration to include the SameSite attribute. Use 'Lax' for general cookies and 'Strict' for sensitive session cookies.
Platform-Specific Fix
app.use(session({
cookie: {
secure: true,
httpOnly: true,
sameSite: 'lax', // or 'strict'
}
}));References
DNS & Email Security
Assessment of DNS-based email authentication and domain protection.
No DMARC record was found at _dmarc.demo.example-agency.com. DMARC prevents email spoofing by telling receiving mail servers how to handle messages that fail SPF and DKIM checks. Without DMARC, anyone can send emails that appear to come from your domain.
Impact
Attackers can send phishing emails that appear to originate from your domain. This can damage your reputation, compromise your clients, and reduce email deliverability.
Evidence
$ dig TXT _dmarc.demo.example-agency.com
; ANSWER SECTION:
; (no records returned - NXDOMAIN)Remediation
Add a DMARC DNS TXT record. Start with a monitoring policy (p=none) and progress to enforcement (p=quarantine or p=reject) once you have confirmed legitimate email sources.
- Add the following DNS TXT record to your domain. Replace the email address with your own.
_dmarc.demo.example-agency.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc(at)demo.example-agency.com; pct=100" - Wait 24–48 hours for DNS propagation, then verify using a DMARC checker.
References
Advanced AI Pen Test Results
White-box and authenticated exploit validation of business logic, auth/authz, injection, XSS, and SSRF risks.
Advanced AI Pen Test Results validated an insecure direct object reference in `/api/invoices/{id}/download`. A low-privilege user could request invoice IDs belonging to other organisations and receive full invoice payloads.
Impact
Cross-tenant data exposure can leak customer names, billing addresses, VAT details, and transaction values. This creates legal, reputational, and contractual risk, especially for agencies handling client billing data.
Evidence
GET /api/invoices/48291/download HTTP/1.1
Authorization: Bearer user_role=member; org=acme-labs
HTTP/1.1 200 OK
Content-Type: application/pdf
X-Invoice-Org: northbridge-studio
Content-Length: 148233Remediation
Enforce tenant ownership checks at the API layer before fetching invoice records.
- Validate that `invoice.org_id` matches the caller's `org_id` from the authenticated session.
- Return 404 for non-owned resources to reduce enumeration signal.
- Add automated authorisation tests for cross-tenant object access.
Platform-Specific Fix
if (invoice.orgId !== session.orgId) {
throw new NotFoundError("Invoice not found")
}WAF Effectiveness
WAF fingerprinting and safe active probe analysis to measure block quality and bypass resilience.
WAF fingerprinting identified Cloudflare-managed protection in front of the origin. Safe baseline probes for commodity SQLi and XSS signatures were blocked at the edge as expected.
Impact
This reduces exposure to low-complexity automated attacks and opportunistic scanning traffic.
Evidence
Probe set: waf-safe-baseline-v1
Blocked responses: 7/7
Observed status codes: 403, 406
Edge signal: cf-ray present, managed rule challenge observedRemediation
No immediate action required. Keep managed WAF rules enabled and review anomaly logs weekly.
Cloud Security Posture
AWS posture checks for identity, key hygiene, and configuration hardening.
Prowler confirmed CloudTrail is enabled with multi-region logging, improving account-wide auditability.
Impact
Consistent audit logging supports faster forensic investigation, detection engineering, and compliance evidence collection.
Evidence
provider=aws
service=cloudtrail
control=cloudtrail_multi_region_enabled
status=PASSRemediation
No immediate action required. Keep retention and integrity controls under periodic review.
This assessment found 3 critical, 6 high, 6 medium, 4 low, 3 informational, and 2 pass outcomes. Alongside perimeter and configuration issues, Advanced AI Pen Test Results validated exploitable access-control and business-logic weaknesses, while WAF and cloud posture checks identified control gaps that should be remediated in the same sprint.
Estimated effort: 1–2 days for a mid-level engineer
Prioritised Actions
- 1
Block .git directory access and rotate all credentials found in repository history
30 minutes (block) + 1–2 hours (credential rotation)location ~ /\.git { deny all; return 404; } - 2
Update jQuery from 3.4.1 to 3.7.x (CVE-2020-11023)
30 minutes + testingwp core update && wp plugin update --all - 3
Block MySQL port 3306 from public internet access
5 minutessudo ufw deny 3306/tcp - 4
Block Redis port 6379 and enable authentication
10 minutessudo ufw deny 6379/tcp - 5
Restrict wp-login.php access: IP allowlist, rate limit, enforce 2FA
30 minuteswp plugin install wordfence --activate - 6
Add Content-Security-Policy header
15 minutes (config) + testingadd_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always; - 7
Verify TLS certificate auto-renewal is working
5 minutessudo certbot renew --dry-run - 8
Update WordPress from 5.9 to latest 6.x release
30 minutes + testingwp core update && wp core update-db - 9
Audit risky subdomains (staging, dev, admin) — restrict or decommission
30 minutes - 10
Hide server version
2 minutesserver_tokens off; - 11
Configure DMARC DNS record
10 minutes + 24h propagation - 12
Add Permissions-Policy header
5 minutesadd_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always; - 13
Add X-Content-Type-Options header
2 minutesadd_header X-Content-Type-Options "nosniff" always; - 14
Add SameSite attribute to cookies
15 minutes (application code) - 15
Increase HSTS max-age to 1 year
2 minutesadd_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - 16
Remove internal paths from robots.txt
5 minutes - 17
Review subdomain inventory and remove unused DNS records
20 minutes - 18
Ensure all detected technologies are on latest stable versions
30 minutes (audit) - 19
Fix invoice IDOR with tenant ownership checks on every invoice read/download path
45 minutes + regression tests - 20
Remove client-controlled pricing fields and enforce server-side checkout amount calculation
45 minutes + billing flow tests - 21
Harden WAF rules for encoded JSON payload variants and add parser-layer anomaly alerting
30 minutes + tuning - 22
Rotate overdue IAM access keys and migrate workers to role-based temporary credentials
30 minutes + deployment validation
- Engine
- ShieldReport v3.2.0 (Enhanced: Web + WAF + Cloud + Advanced AI Pen Test Results)
- Duration
- 63s
- Checks Run
- 24
- TLS Version
- TLS 1.3
This report was generated by an automated security scanner. It checks configurations and known good practices — it does not attempt to exploit vulnerabilities. For comprehensive penetration testing, engage a qualified security professional.