Rook
AI red-teamer · 42nights
ScansMacintosh1011/rook-demo-target

Scan #8882bz

framework: node · target http://127.0.0.1:4600

Queued…
0%
Bootstrap
Threat model
Static scan
Exploit synthesis
5Report
6Done

Verified findings

critical9.8
Unauthenticated OS Command Injection in /api/ping host parameter
injection-cmd · server.js:31
✓ verifiedhigh7.5
Unauthenticated IDOR on /api/notes exposes private notes (PII/financial secrets)
auth-bypass · server.js:48
✓ verifiedhigh7.5
Unauthenticated IDOR on /api/notes Discloses Private User Data (Bank PINs, SSNs)
idor · server.js:48
✓ verifiedhigh7.5
Unauthenticated Path Traversal in /api/file Allows Arbitrary File Read
path-traversal · server.js:38
✓ verified

Needs human review

medium
SSRF via /api/fetch url parameter
ssrf · server.js:63
needs review