Rook
AI red-teamer · 42nights
ScansMacintosh1011/rook-demo-target

Scan #87zp3p

framework: node · target http://127.0.0.1:4600

Done
100%
Bootstrap
Threat model
Static scan
Exploit synthesis
Report
Done
9
verified
14
candidates
2
false-positives dropped

Verified findings

critical9.8
Unauthenticated OS Command Injection in /api/ping host parameter (RCE)
injection-cmd · server.js:31
✓ verifiedhigh7.5
Unauthenticated IDOR on /api/notes exposes private user notes (PII)
auth-bypass · server.js:48
✓ verifiedhigh7.5
Unauthenticated IDOR on /api/notes discloses arbitrary users' private notes
idor · server.js:48
✓ verifiedcritical10
Hardcoded production API key constant in server.js exposes live credentials
secrets-in-source · server.js:11
✓ verifiedmedium6.1
Reflected Cross-Site Scripting (XSS) in /search via unescaped 'q' parameter
xss · server.js:56
✓ verifiedcritical9.8
Unauthenticated Command Execution via /api/ping Endpoint
auth-bypass · server.js:29
✓ verifiedcritical9.9
Unauthenticated SSRF primitive via /api/fetch performs arbitrary server-side HTTP GETs
auth-bypass · server.js:63
✓ verifiedmedium5.3
Filesystem error message disclosure in /api/file reveals absolute paths and error codes
info-leak · server.js:41
✓ verifiedmedium5.8
SSRF reconnaissance via verbose network error leakage in /api/fetch
info-leak · server.js:72
✓ verified

Needs human review

medium
SSRF via user-controlled URL in /api/fetch
ssrf · server.js:63
needs review
2disconfirmed (dropped — exploit didn't fire)
path-traversal · server.js:38The response is a 404 error indicating the file was not found at '/Users/etc/passwd'. The traversal did escape the intended public directory (path resolved outside the app), but no actual file contents were returned and 'root:x:0:0' is not present. The traversal didn't go up enough levels to reach the real /etc/passwd.
auth-bypass · server.js:38The path traversal attempt returned a 404 ENOENT error. While the error reveals an absolute filesystem path ('/Users/etc/passwd') outside the app directory—indicating path.join resolved the traversal—the actual /etc/passwd contents were not returned. The traversal didn't reach the real /etc/passwd because too many '../' segments collapsed the path to '/Users/etc/passwd' which doesn't exist. No sensitive file contents were disclosed, so actual exploitation is not demonstrated.