Rook
AI red-teamer · 42nights
Scanslocal/vulnerable-app

Scan #87y4pn

framework: node · target http://127.0.0.1:4600

Done
100%
Bootstrap
Threat model
Static scan
Exploit synthesis
Report
Done
11
verified
14
candidates
0
false-positives dropped

Verified findings

critical9.8
Unauthenticated Remote Command Injection in /api/ping host parameter
injection-cmd · server.js:31
✓ verifiedhigh7.5
Unauthenticated IDOR on /api/notes exposes private notes (PII, bank PIN)
auth-bypass · server.js:48
✓ verifiedhigh7.5
Unauthenticated IDOR on /api/notes discloses other users' private notes
idor · server.js:48
✓ verifiedhigh7.5
Unauthenticated Path Traversal in /api/file Allows Arbitrary File Read
path-traversal · server.js:38
✓ verifiedcritical9.8
Unauthenticated Remote Command Execution via /api/ping host parameter
auth-bypass · server.js:29
✓ verifiedcritical10
Hardcoded production API key (sk_live_*) committed in server.js
secrets-in-source · server.js:11
✓ verifiedcritical9.9
Unauthenticated SSRF via /api/fetch enables internal network access through the server
auth-bypass · server.js:63
✓ verifiedhigh7.5
Unauthenticated arbitrary file read via /api/file path traversal
auth-bypass · server.js:38
✓ verifiedmedium6.1
Reflected XSS in /search via unescaped 'q' query parameter
xss · server.js:56
✓ verifiedmedium5.3
Filesystem error messages reflected to clients disclose absolute server paths
info-leak · server.js:40
✓ verifiedmedium5.3
SSRF error disclosure enables internal network and port enumeration via /api/fetch
info-leak · server.js:72
✓ verified

Needs human review

medium
SSRF via /api/fetch url parameter
ssrf · server.js:63
needs review