Security Assessment Report
GG Advanced IT Security  ·  ggsec.de
SAST 0.1s DAST 12.5s 11 requests 4 confirmed vulns 0 likely 3 SAST targets GGSec Cortex v0.8a Alpha
F
Security
Rating

Overview

4
Confirmed Vulns
0
Likely (review)
💀
1
Critical SAST
🔥
1
High SAST
💻
0
RCE
🗃
1
SQLi
0
XSS
🌐
0
SSRF
📄
0
XXE
🎭
1
CSRF
📡
0
JSONP
🔓
0
Auth Bypass
📤
11
Total Requests
Confirmed vulns by sink type DAST
SSTI: 7 NOSQL_INJECTION: 3 CSRF: 1 11 total
SSTI7
NOSQL_INJECTION3
CSRF1
SAST impact distribution SAST
RCE
2
SESSION_THEFT
1
DAST hit rate by sink DAST
SSTI
7/7
NOSQL_INJECTION
3/3
CSRF
1/1

Exploitation Paths — how the vulnerabilities combine

Goal: remote code execution  ·  Chain Severity 10.0 (worst single bug 9.8)
unauth attacker NOSQL_INJECTIONfilter SSTIbody remote code execution
Unauthenticated attacker → 1. extract data / bypass auth via NOSQL_INJECTION on 'filter' (CWE-943) → 2. execute code via SSTI on 'body' (CWE-1336) ⇒ remote code execution.
Timeline
22:18:41   attack started (unauthenticated)
22:18:41.929   Execute code — SSTI body
22:18:54.101   Extract data / bypass auth — NOSQL_INJECTION filter
  attack chain completed ⇒ remote code execution
Goal: remote code execution  ·  Chain Severity 10.0 (worst single bug 9.8)
unauth attacker SSTIbody NOSQL_INJECTIONfilter remote code execution
Unauthenticated attacker → 1. execute code via SSTI on 'body' (CWE-1336) → 2. extract data / bypass auth via NOSQL_INJECTION on 'filter' (CWE-943) ⇒ remote code execution.
Timeline
22:18:41   attack started (unauthenticated)
22:18:41.929   Execute code — SSTI body
22:18:54.101   Extract data / bypass auth — NOSQL_INJECTION filter
  attack chain completed ⇒ remote code execution
Goal: remote code execution  ·  Chain Severity 10.0 (worst single bug 9.8)
unauth attacker SSTIbody SSTIbody remote code execution
Unauthenticated attacker → 1. execute code via SSTI on 'body' (CWE-1336) → 2. execute code via SSTI on 'body' (CWE-1336) ⇒ remote code execution.
Timeline
22:18:41   attack started (unauthenticated)
22:18:41.929   Execute code — SSTI body
22:18:54.144   Execute code — SSTI body
  attack chain completed ⇒ remote code execution
Goal: remote code execution  ·  Chain Severity 10.0 (worst single bug 9.8)
unauth attacker SSTIbody CSRFaction remote code execution
Unauthenticated attacker → 1. execute code via SSTI on 'body' (CWE-1336) → 2. force a victim action via CSRF on 'action' (CWE-352) ⇒ remote code execution.
Timeline
22:18:41   attack started (unauthenticated)
22:18:41.929   Execute code — SSTI body
22:18:54.109   Force a victim action — CSRF action
  attack chain completed ⇒ remote code execution
Goal: remote code execution  ·  Chain Severity 10.0 (worst single bug 9.8)
unauth attacker CSRFaction SSTIbody remote code execution
Unauthenticated attacker → 1. force a victim action via CSRF on 'action' (CWE-352) → 2. execute code via SSTI on 'body' (CWE-1336) ⇒ remote code execution.
Timeline
22:18:41   attack started (unauthenticated)
22:18:41.929   Execute code — SSTI body
22:18:54.109   Force a victim action — CSRF action
  attack chain completed ⇒ remote code execution
Goal: remote code execution  ·  Chain Severity 10.0 (worst single bug 9.8)
unauth attacker NOSQL_INJECTIONfilter CSRFaction SSTIbody remote code execution
Unauthenticated attacker → 1. extract data / bypass auth via NOSQL_INJECTION on 'filter' (CWE-943) → 2. force a victim action via CSRF on 'action' (CWE-352) → 3. execute code via SSTI on 'body' (CWE-1336) ⇒ remote code execution.
Timeline
22:18:41   attack started (unauthenticated)
22:18:41.929   Execute code — SSTI body
22:18:54.101   Extract data / bypass auth — NOSQL_INJECTION filter
22:18:54.109   Force a victim action — CSRF action
  attack chain completed ⇒ remote code execution
Goal: remote code execution  ·  Chain Severity 10.0 (worst single bug 9.8)
unauth attacker CSRFaction NOSQL_INJECTIONfilter SSTIbody remote code execution
Unauthenticated attacker → 1. force a victim action via CSRF on 'action' (CWE-352) → 2. extract data / bypass auth via NOSQL_INJECTION on 'filter' (CWE-943) → 3. execute code via SSTI on 'body' (CWE-1336) ⇒ remote code execution.
Timeline
22:18:41   attack started (unauthenticated)
22:18:41.929   Execute code — SSTI body
22:18:54.101   Extract data / bypass auth — NOSQL_INJECTION filter
22:18:54.109   Force a victim action — CSRF action
  attack chain completed ⇒ remote code execution

SAST — Attack Surface

#ParameterSinkRiskCVSSConfidenceExploit.ImpactLocation
1 body 🔍 SSTI Critical 9.8 CRITICAL Confirmed Chained RCE POST JSON body (php://input) at /save
2 filter 🔍 NOSQL_INJECTION High 9.8 CRITICAL High Direct RCE POST JSON body (php://input) at /save
3 action 🎭 CSRF Medium 8.1 HIGH Confirmed Direct SESSION_THEFT GET query string

DAST — Vulnerability Details

🔍 9.8 CRITICAL Critical SSTI body POST JSON body (php://input) at /save 7/7 hits
Flow
User-supplied 'body' field from JSON POST to /save is written verbatim to /tmp/ggsec_templates/user_1.txt. When GET ?action=admin_render is requested, the file content is read back and preg_replace_callback matches {{...}} patterns, passing the inner expression to eval('return ' . $m[1] . ';'). This is a second-order SSTI that escalates to full RCE.
Attack Chain
Step 1: POST /save with JSON body containing malicious template in 'body'. Step 2: GET ?action=admin_render to trigger eval() on the stored template, producing RCE output in 'rendered_output'.
Impact
RCE — Chained
CWE / CVSS
CWE-1336 Server-Side Template Injection  ·  CVSS 9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Confidence & Evidence
87%High confidenceEvidence score 87/100
  • ✔ Confirmed (strong signal)
  • ✔ Direct detection (indicator)
  • ✔ Expected indicator reflected
  • ✔ Reproduced by 7 payload(s)
  • ✔ Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'template_engine.php/save' --data 'JSONBODY:{"body":"{{phpinfo()}}","filter":""}'
Evidence (live response):
{"status":"template_saved"}
Remediation
Never build templates from user input — pass user data as bound variables to a sandboxed engine.
  • Keep templates static; render user data through the engine's context/variables, never concatenate it into the template source.
  • Enable the engine's sandbox/auto-escape (e.g. Jinja2 SandboxedEnvironment, Twig sandbox) and disable dangerous tags/functions.
  • Validate/allowlist any value that must influence template selection.
Refs: CWE-1336 · OWASP: Server-Side Template Injection
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST template_engine.php/save
JSONBODY:{"body":"ggsec{{7*7}}","filter":""}
200 21ms indicator
⚠ VULN POST template_engine.php/save
JSONBODY:{"body":"{{system('id')}}","filter":""}
200 20ms indicator
⚠ VULN POST template_engine.php/save
JSONBODY:{"body":"{{system('cat /etc/passwd')}}","filter":""}
200 20ms indicator
⚠ VULN POST template_engine.php/save
JSONBODY:{"body":"{{phpinfo()}}","filter":""}
200 2ms indicator
⚠ VULN POST template_engine.php/save
JSONBODY:{"body":"{{file_get_contents('/etc/passwd')}}","filter":""}
200 21ms indicator
⚠ VULN GET (2nd-order) template_engine.php?action=admin_render
trigger_render
200 15ms ssti-second-order
⚠ VULN GET (2nd-order) template_engine.php?action=admin_render
trigger_render_rce
200 8ms ssti-rce-eval
🔍 9.8 CRITICAL High NOSQL_INJECTION filter POST JSON body (php://input) at /save 3/3 hits
Flow
The 'filter' field from the JSON-decoded request body is checked with is_array($filter) && isset($filter['$where']). If the attacker sends a JSON object with a '$where' key, the server enters the branch that simulates a NoSQL $where evaluation (sleep(4)). In a real MongoDB deployment, the $where operator evaluates arbitrary JavaScript server-side, enabling data exfiltration or DoS. The sink is blind (no data echoed), so detection is time-based.
Attack Chain
POST /save with JSON body containing filter:{"$where":"<JS payload>"}. The server enters the $where branch. In real MongoDB this executes arbitrary JS; here the 4-second sleep confirms the sink is reached.
Impact
RCE — Direct
CWE / CVSS
CWE-943 Improper Neutralization of Data in a Query (NoSQL)  ·  CVSS 9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Confidence & Evidence
64%Medium confidenceEvidence score 64/100
  • ✔ Confirmed (strong signal)
  • ~ Inferred from timing / HTTP 500 (no direct echo)
  • ✔ Reproduced by 3 payload(s)
  • ✔ Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://localhost/template_engine.php/save' --data 'JSONBODY:{"body":"","filter":{"$where":"1==1"}}'
Evidence (live response):
{"status":"template_saved"}
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST http://localhost/template_engine.php/save
JSONBODY:{"body":"","filter":{"$where":"var s=Date.now();while(Date.now()-s<5000){};return true;"}}
200 4054ms nosql-time-based
⚠ VULN POST http://localhost/template_engine.php/save
JSONBODY:{"body":"","filter":{"$where":"sleep(5000)"}}
200 4054ms nosql-time-based
⚠ VULN POST http://localhost/template_engine.php/save
JSONBODY:{"body":"","filter":{"$where":"1==1"}}
200 4054ms nosql-time-based
🎭 8.1 HIGH Medium CSRF action GET query string 1/1 hits
Flow
The login action (?action=login) is a state-changing operation (sets $_SESSION['user'] and $_SESSION['role']) accessible via GET with no CSRF token, no referer/origin check. An attacker can force a victim's browser to visit a URL that logs them into the attacker's account (login CSRF / session fixation variant).
Attack Chain
Attacker crafts <img src='https://target/?action=login'> on a malicious page. Victim's browser sends the GET, setting their session to user_1/user role. Combined with the SSTI chain, an attacker could plant a malicious template under the victim's session.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-352 Cross-Site Request Forgery  ·  CVSS 8.1 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • ✔ Confirmed (strong signal)
  • ✔ Direct detection (csrf-no-token)
  • ✔ Stable 2xx response
Proof of Concept
Reproduce:
curl -i '/?action=login'
Evidence (live response):
<!DOCTYPE html> <html> <head><title>GGSec Test Server</title></head> <body> <h1>GGSec Scanner Test Environment</h1> <ul>     <li><a href="/login2.php">Login Test</a></li>     <li><a href="/profile.php">Profile Test</a></li>     <li><a href="/deserialize_test.php?data=Tzo0OiJVc2Vy…
Remediation
Require an anti-CSRF token on state-changing requests and use SameSite cookies.
  • Add per-session/per-request CSRF tokens to all state-changing forms and verify them server-side.
  • Set SameSite=Lax/Strict on session cookies; verify Origin/Referer for sensitive actions.
  • Never perform state changes via GET.
Refs: CWE-352 · OWASP: CSRF Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET /?action=login
/?action=login
200 3ms csrf-no-token

Security Headers

HeaderStatusRiskRecommendation
Content-Security-Policy ✗ MISSING HIGH Prevents XSS/injection. Use nonce or strict-dynamic.
X-Frame-Options ✗ MISSING MEDIUM Prevents clickjacking. Use DENY or SAMEORIGIN.
X-Content-Type-Options ✗ MISSING LOW Prevents MIME sniffing. Set to nosniff.
Strict-Transport-Security ✗ MISSING MEDIUM Enforces HTTPS. min-age=31536000; includeSubDomains.
Referrer-Policy ✗ MISSING LOW Limits referrer leakage. strict-origin-when-cross-origin.
Permissions-Policy ✗ MISSING LOW Restrict unused browser features (camera, mic, geo).