Strix Security Penetration Test Report

Generated: 2026-06-30 12:36:26 UTC | Tool: Strix v1.0.4 | Model: GLM-5.2 (ollama-cloud)

Executive Summary

A comprehensive black-box security assessment was performed against OWASP Juice Shop v20.1.1 hosted at http://host.docker.internal:3000. The assessment identified 26 confirmed vulnerabilities across 7 vulnerability classes, including 5 critical-severity findings that enable complete authentication bypass, database exfiltration, and administrative account takeover.

26
Total Findings
5
Critical
5
High
16
Medium
6
Tested Safe

The most severe issues: SQL injection in the login endpoint allowing password-free admin access; UNION-based SQL injection in product search enabling full database extraction (all 29 user accounts with MD5 password hashes); JWT algorithm confusion and alg=none attacks allowing forged admin tokens; and mass assignment on user registration creating admin accounts. Multiple high-severity IDOR vulnerabilities allow any authenticated user to read other users' baskets, checkout on their behalf, delete their feedback, and access all user profiles and complaints.

The application's security posture is critically weak. Authentication, authorization, input validation, and output encoding controls are systematically broken across the API surface. An unauthenticated attacker can extract the entire database or gain admin access within minutes. Authenticated low-privilege users can compromise other accounts, manipulate financial transactions, and abuse race conditions for fraud.

No SSRF, XXE, RCE, or SSTI vulnerabilities were found in this version, indicating some server-side controls have been improved in recent releases.

Findings Summary

# Severity Vulnerability CWE CVSS Endpoint
1CriticalSQL Injection in LoginCWE-899.8POST /rest/user/login
2CriticalUNION-based SQLi in Product SearchCWE-899.8GET /rest/products/search
3CriticalJWT alg=none Auth BypassCWE-3479.8All protected endpoints
4CriticalJWT RS256 to HS256 Algorithm ConfusionCWE-3479.8/encryptionkeys/jwt.pub
5CriticalMass Assignment Privilege EscalationCWE-9159.8POST /api/Users
6HighDOM-based XSS in SearchCWE-798.9GET /search?q=
7HighStored XSS via Product Reviews + Data ExportCWE-797.1PUT /rest/products/{id}/reviews
8HighSensitive File Disclosure via Null Byte BypassCWE-228.2GET /ftp/
9HighUnauthenticated Configuration DisclosureCWE-2007.5GET /rest/admin/application-configuration
10HighRace Condition on Basket CheckoutCWE-3627.1POST /rest/basket/{id}/checkout
11MediumIDOR on Basket ReadCWE-6398.1GET /rest/basket/{id}
12MediumIDOR on Feedback DeletionCWE-6398.1DELETE /api/Feedbacks/{id}
13MediumIDOR on Basket CheckoutCWE-6396.5POST /rest/basket/{id}/checkout
14MediumBFLA on User ListingCWE-6396.5GET /api/Users
15MediumIDOR on User Profile AccessCWE-6396.5GET /api/Users/{id}
16MediumIDOR on Basket Item DeletionCWE-6396.5DELETE /api/BasketItems/{id}
17MediumNegative Basket Quantity CheckoutCWE-206.5POST /api/BasketItems
18MediumIDOR on Complaints ReadCWE-6394.3GET /api/Complaints
19MediumBFLA on Inventory AccessCWE-6394.3GET /api/Quantitys
20MediumUnauthenticated Review SubmissionCWE-3065.3PUT /rest/products/{id}/reviews
21MediumMass Assignment in Recycle APICWE-9154.3POST /api/Recycles
22MediumZero-Quantity Basket CheckoutCWE-204.3POST /rest/basket/{id}/checkout
23MediumVerbose Error MessagesCWE-2095.3All error responses
24MediumPrometheus Metrics and Swagger UI ExposureCWE-2005.3/metrics, /api-docs/
25MediumJWT Contains Password HashCWE-5227.5All JWT tokens
26MediumExposed /ftp/ DirectoryCWE-5385.3GET /ftp/

Critical Severity Findings (CVSS 9.8)

#1 SQL Injection in Login Critical CWE-89 CVSS 9.8

Endpoint: POST /rest/user/login

The login endpoint accepts SQL injection in the email field. The backend constructs raw SQL queries without parameterization. Payload bypasses password verification and returns a valid admin JWT token.

admin@juice-sh.op'-- || ' OR 1=1--
#2 UNION-based SQL Injection in Product Search Critical CWE-89 CVSS 9.8

Endpoint: GET /rest/products/search?q=

UNION-based injection extracts the complete database: all 29 user accounts with MD5 password hashes, full schema (22 tables), and SQLite version info.

')) UNION SELECT id,email,password,role,5,6,7,8,9 FROM Users--
#3 JWT alg=none Authentication Bypass Critical CWE-347 CVSS 9.8

Library: express-jwt 0.1.3 (outdated)

The outdated JWT library accepts tokens with {"alg":"none"} and no signature. Forged tokens with admin claims grant full administrative access to all protected endpoints.

#4 JWT RS256 to HS256 Algorithm Confusion Critical CWE-347 CVSS 9.8

Endpoint: /encryptionkeys/jwt.pub (RSA public key exposed)

The RSA public key can be used as an HMAC secret to forge valid HS256 tokens. The server accepts these forged tokens as legitimate, enabling impersonation of any user including admin.

#5 Mass Assignment Privilege Escalation Critical CWE-915 CVSS 9.8

Endpoint: POST /api/Users (registration)

The registration endpoint accepts a "role" field in the JSON body. Setting "role":"admin" during registration creates a user with administrative privileges, bypassing the intended customer-only default role.

{"email":"user@test.com","password":"Pass123","passwordRepeat":"Pass123","role":"admin"}

High Severity Findings (CVSS 7.1-8.9)

#6 DOM-based XSS in Search High CWE-79 CVSS 8.9

Angular frontend calls bypassSecurityTrustHtml() on the URL query parameter q, rendering it via [innerHTML]. No authentication required.

<img src=x onerror=alert(1)>
#7 Stored XSS via Product Reviews + Data Export High CWE-79 CVSS 7.1

Product reviews stored without HTML sanitization. Data export feature uses document.write() to render user data, causing stored XSS payloads in reviews to execute. Requires authentication.

#8 Sensitive File Disclosure via Null Byte Bypass High CWE-22 CVSS 8.2

The /ftp/ endpoint restricts file access to .md/.pdf extensions, but double-encoded null bytes bypass the filter. Confirmed retrieval of package.json.bak, suspicious_errors.yml, KeePass database, and Python bytecode.

%2500.md (double-encoded null byte)
#9 Unauthenticated Configuration Disclosure High CWE-200 CVSS 7.5

GET /rest/admin/application-configuration returns 23KB of sensitive configuration without authentication, including OAuth client IDs, chatbot model details, challenge solutions, and internal server settings.

#10 Race Condition on Basket Checkout High CWE-362 CVSS 7.1

POST /rest/basket/{id}/checkout has no concurrency control. 20 concurrent requests on the same basket all succeeded, creating 20 duplicate orders from a single item.

Medium Severity Findings (CVSS 4.3-8.1)

#11IDOR on Basket ReadMediumCWE-639CVSS 8.1

Any user can read other users' baskets via GET /rest/basket/{id}. No ownership verification.

#12IDOR on Feedback DeletionMediumCWE-639CVSS 8.1

Any user can delete other users' feedback via DELETE /api/Feedbacks/{id}. No ownership check.

#13IDOR on Basket CheckoutMediumCWE-639CVSS 6.5

Any user can checkout other users' baskets via POST /rest/basket/{id}/checkout.

#14BFLA on User ListingMediumCWE-639CVSS 6.5

Regular users can list all users including admin emails via GET /api/Users. Broken Function Level Authorization.

#15IDOR on User Profile AccessMediumCWE-639CVSS 6.5

Any user can access other user profiles via GET /api/Users/{id}.

#16IDOR on Basket Item DeletionMediumCWE-639CVSS 6.5

No ownership check on basket item deletion via DELETE /api/BasketItems/{id}.

#17Negative Basket Quantity CheckoutMediumCWE-20CVSS 6.5

Negative quantities accepted, resulting in negative order totals. No server-side validation.

#18IDOR on Complaints ReadMediumCWE-639CVSS 4.3

Any user can read all complaints via GET /api/Complaints.

#19BFLA on Inventory AccessMediumCWE-639CVSS 4.3

Inventory data accessible to customers via GET /api/Quantitys.

#20Unauthenticated Review SubmissionMediumCWE-306CVSS 5.3

Reviews accepted without authentication via PUT /rest/products/{id}/reviews.

#21Mass Assignment in Recycle APIMediumCWE-915CVSS 4.3

POST /api/Recycles accepts UserId, negative quantities, and arbitrary IDs via mass assignment.

#22Zero-Quantity Basket CheckoutMediumCWE-20CVSS 4.3

Checkout succeeds with 0 items in basket. No validation for minimum basket contents.

#23Verbose Error MessagesMediumCWE-209CVSS 5.3

Stack traces leak filesystem paths, Express/SQLite versions in error responses.

#24Prometheus Metrics and Swagger UI ExposureMediumCWE-200CVSS 5.3

/metrics and /api-docs/ endpoints publicly accessible without authentication.

#25JWT Contains Password HashMediumCWE-522CVSS 7.5

MD5 password hash and TOTP secret embedded in JWT payload. Token leakage exposes credential material.

#26Exposed /ftp/ DirectoryMediumCWE-538CVSS 5.3

Confidential business documents publicly served via GET /ftp/ directory listing.

Tested and Confirmed Safe

SSRF — Profile image URLs stored but not fetched server-side (OAST confirmed via interactsh)
XXE — B2B v2 orders does not parse XML body in v20.1.1
RCE — No command injection vectors found
SSTI — Track-order character stripping is not template evaluation
Path Traversal — Express normalizes /ftp/../../../../etc/passwd paths
Source Maps — Not exposed

Methodology

Engagement Type: Black-box testing (no source code access) | Scope: http://host.docker.internal:3000 (OWASP Juice Shop v20.1.1) | Frameworks: OWASP WSTG, PTES, OSSTMM

Phase 1 — Reconnaissance and Attack Surface Mapping

Phase 2 — Systematic Vulnerability Testing

Seven specialized testing agents were deployed in parallel, each focusing on a specific vulnerability class:

SQL Injection

Login, search, basket, product endpoints. Manual payload crafting + sqlmap. Error-based, boolean-based, and UNION-based injection.

Authentication and JWT

Login bypass, token forgery, algorithm confusion, password hashing. JWT manipulation with jwt_tool and custom scripts.

IDOR and Access Control

Basket, user, admin, feedback, complaint endpoints. Ownership and role verification testing.

XSS

Search, reviews, feedback, chatbot, file upload, DOM analysis. Browser-based verification via agent-browser.

Path Traversal and Info Disclosure

FTP directory, sensitive files, error messages, metrics. Null byte encoding bypass testing.

Business Logic and Race Conditions

Basket manipulation, checkout, reviews, recycle, concurrency. Async testing with asyncio/aiohttp.

SSRF and Server-Side

Profile image, B2B orders, XML parsing, command injection, SSTI. OAST via interactsh for blind confirmation.

Tools Used

curl sqlmap jwt_tool Python (asyncio/aiohttp) agent-browser interactsh-client custom exploit scripts

Systemic Root Causes

1. No SQL parameterization — raw query construction throughout the API
2. Outdated JWT library (express-jwt 0.1.3) with known algorithm confusion vulnerabilities
3. No field whitelisting on POST/PUT endpoints — mass assignment across registration, recycle, and other APIs
4. No ownership verification on IDOR-prone endpoints — basket ID from URL, not from JWT
5. bypassSecurityTrustHtml() used unsafely in 9 locations in the Angular frontend
6. No concurrency controls on state-changing operations
7. Weak password hashing (unsalted MD5)
8. No authentication on admin configuration and metrics endpoints

Recommendations

Immediate Fix within 24 hours

  1. Parameterize all SQL queries. Replace raw SQL string concatenation in /rest/user/login and /rest/products/search with Sequelize parameter binding. Eliminates login bypass and UNION-based extraction.
  2. Upgrade express-jwt and jsonwebtoken. Upgrade to express-jwt 8.x+ and jsonwebtoken 9.x+. Pin algorithms: ['RS256'] to prevent alg=none and RS256 to HS256 confusion. Remove public key from /encryptionkeys/jwt.pub.
  3. Implement field whitelisting on POST /api/Users. Only accept email, password, passwordRepeat. Set role server-side to "customer" exclusively. Apply to all POST/PUT endpoints.
  4. Remove sensitive files from /ftp/. Remove KeePass database, Python bytecode, package.json.bak, encrypted files. Reject null bytes after full URL decoding. Validate extensions post-decode.
  5. Add authentication middleware to all /rest/admin/* endpoints. Configuration and version endpoints must require admin auth.

Short-Term Fix within 1 week

  1. Fix IDOR on basket endpoints. Derive basket ID from JWT bid claim, not URL parameter. Apply ownership checks to GET /rest/basket/{id}, POST /rest/basket/{id}/checkout, DELETE /api/BasketItems/{id}.
  2. Add role-based authorization. Restrict /api/Users, /api/Users/{id}, /api/Complaints, /api/Quantitys to admin only. Add ownership verification to DELETE /api/Feedbacks/{id}.
  3. Fix XSS. Remove bypassSecurityTrustHtml() from search component. Use Angular text interpolation. Sanitize reviews server-side. Replace document.write() in data export with textContent.
  4. Add concurrency controls to checkout. Implement basket state machine (open to checked_out) with database-level locking (SELECT FOR UPDATE or optimistic concurrency).
  5. Migrate password hashing. Move from unsalted MD5 to bcrypt or Argon2. Remove password hashes and TOTP secrets from JWT payloads.
  6. Add server-side quantity validation. Reject negative and zero quantities. Require at least 1 item with quantity > 0 before checkout.
  7. Require auth on reviews. Add authentication to PUT /rest/products/{id}/reviews. Field allowlisting on POST /api/Recycles.

Medium-Term Fix within 1 month

  1. Suppress verbose errors. Set NODE_ENV=production. Generic error handlers that suppress stack traces, file paths, framework versions, SQL errors.
  2. Protect /metrics and /api-docs/. Require authentication or restrict to internal network ranges.
  3. Implement security headers. CSP, Strict-Transport-Security, Referrer-Policy. X-Content-Type-Options already present.
  4. Audit all 9 bypassSecurityTrustHtml() calls. Remove or replace each with safe alternatives unless documented business need exists.
  5. Rate limiting on auth endpoints. Login, registration, password reset to mitigate brute-force attacks.

Retest and Validation


Strix v1.0.4 | GLM-5.2 (753B MoE) via ollama-cloud | 7 parallel agent streams | Black-box assessment
OWASP Juice Shop v20.1.1 | 2026-06-30