/* global React, I, FINDINGS */ const { useState: useStateE } = React; // ============ Suppressed (CIPHER noise) ============ function Suppressed() { const ROWS = [ { cat:'baseline-tls', count:204, src:'ZAP', reason:'matches customer-stack TLS profile (HSTS preload, ALPN h2)' }, { cat:'header.x-powered-by', count:188, src:'ZAP+Burp',reason:'ubiquitous · low-signal · already in remediation backlog' }, { cat:'cookie.samesite', count:97, src:'ZAP', reason:'set at edge · suppressed for non-auth domains' }, { cat:'cors.wildcard.preflight',count:71, src:'Burp', reason:'OPTIONS reflection · auth required on actual verb' }, { cat:'cve.match.outdated.lib',count:62, src:'Nuclei', reason:'lib pinned in vendor.dd92.js · not exploitable in shipped path' }, { cat:'directory.listing.assets',count:48,src:'ffuf', reason:'static asset bucket · public by design' }, { cat:'verbose.error.404', count:42, src:'Burp', reason:'low-signal · framework default page' }, { cat:'sni.mismatch', count:38, src:'Nuclei', reason:'cloudflare edge artefact · not customer-controlled' }, { cat:'csp.report-only', count:24, src:'ZAP', reason:'report-only header · not enforced — informational' }, { cat:'http.options.allowed', count:22, src:'Nuclei', reason:'CORS-required behaviour' }, { cat:'banner.disclosure.nginx',count:18, src:'Nuclei', reason:'edge banner · suppressed across cloudflare estate' }, { cat:'duplicate.idor.candidate',count:14,src:'CIPHER', reason:'collapsed into F-0040 · same root cause' }, ]; return ( <>

CIPHER · WEBSuppressed

812 events suppressed across 12 categories — each suppression is reviewable and reversible

categorycountsourcereasonaction

{ROWS.map((r,i)=>(

{r.cat} {r.count} {r.src} {r.reason} restore

))}

); } // ============ Logic candidates ============ function LogicCandidates({ openFinding }) { const items = FINDINGS.filter(f => f.logic); const more = [ { id:'F-0029', sev:'med', title:'Coupon stacking — 2 sequential redemptions accepted', target:'/api/v2/checkout/coupon', src:'CIPHER', conf:0.71, age:'2h', logic:true }, { id:'F-0028', sev:'med', title:'Refund ≥ original total (negative balance)', target:'/api/v2/orders/{id}/refund', src:'CIPHER', conf:0.66, age:'2h', logic:true }, { id:'F-0027', sev:'high', title:'2FA enrolment skip via X-Skip-MFA header', target:'/auth/2fa/enrol', src:'Burp+CIPHER', conf:0.81, age:'3h', logic:true, cipher:true }, { id:'F-0026', sev:'med', title:'Race in /api/v2/me/email — second token clobbers first', target:'/api/v2/me/email', src:'CIPHER', conf:0.62, age:'4h', logic:true }, ]; const all = [...items, ...more]; return ( <>

CIPHER · WEBLogic candidates

surfaced by CIPHER — patterns scanner heuristics deprioritise · need Track B reviewer eyes

SEVFINDINGTARGETSOURCECONFAGE

{all.map(f => (

openFinding(f.id)}> {f.sev} LOGIC{f.title} {f.target} {f.src}

{(f.conf*100).toFixed(0)}% {f.age}

))}

); } // ============ Evidence vault ============ function EvidenceVault() { const PACKS = [ { id:'evx-0042', f:'F-0042', size:'4.2mb', items:'req · resp · har · macro · video', sealed:'04:18:22', op:'r.shibata' }, { id:'evx-0041', f:'F-0041', size:'2.8mb', items:'req · resp · sqlmap dump · har', sealed:'04:11:08', op:'r.shibata' }, { id:'evx-0040', f:'F-0040', size:'1.4mb', items:'req · resp · har', sealed:'04:08:14', op:'k.okafor' }, { id:'evx-0039', f:'F-0039', size:'612kb', items:'token · forged · jwt_tool log', sealed:'03:56:01', op:'k.okafor' }, { id:'evx-0038', f:'F-0038', size:'2.1mb', items:'req · resp · har · video', sealed:'03:47:33', op:'r.shibata' }, { id:'evx-0037', f:'F-0037', size:'88kb', items:'introspection sdl · req', sealed:'03:40:18', op:'k.okafor' }, ]; return ( <>

VAULTEvidence vault

hardware-backed · sealed per finding · auto-purge per ROE retention policy

vault idfindingsizecontainsoperatorsealed
{PACKS.map(p => (
{p.id} {p.f} {p.size} {p.items} {p.op} {p.sealed}
))}

); } // ============ Report draft ============ function ReportDraft() { return ( <>

DELIVERABLEReport draft

v0.4 · auto-assembled from validated findings · last regenerated 2m ago

SECTIONS

{[ ['1. Executive summary', 'auto · CIPHER', 'ready'], ['2. Engagement scope', 'manual · validated','ready'], ['3. Methodology · Track A/B', 'template', 'ready'], ['4. Findings · critical (2)', 'manual', 'ready'], ['5. Findings · high (4)', 'manual', 'ready'], ['6. Findings · medium (3)', 'manual', 'in review'], ['7. Findings · low/info (3)', 'auto', 'in review'], ['8. Logic candidates appendix', 'manual', 'draft'], ['9. Suppressed (audit appendix)','auto', 'pending'], ['10. Remediation prioritised', 'CIPHER · reviewed', 'in review'], ['11. Retest plan', 'manual', 'pending'], ].map((r,i)=>(
{r[0]} {r[1]} {r[2]}
))}

EXECUTIVE SUMMARY · DRAFT

Across the two-week engagement on shop.merid.example.com, Authify Labs identified 2 critical, 4 high, and 3 medium exploitable issues, plus 9 business-logic candidates surfaced by CIPHER that scanner heuristics deprioritised.

The most material exposure is an authentication bypass on the admin sub-router (F-0042), reachable from a low-privilege member account by adding an internal-network X-Forwarded-For header on the staging tier. The same pattern enables a privilege-escalation chain to superadmin and to long-lived API tokens.

Two parallel issues — IDOR on order detail (F-0040) and JWT alg=none acceptance on the staging issuer (F-0039) — compound the blast radius if F-0042 is exploited at scale.

The remediation section prioritises the edge-trust fix first; everything else can be sequenced behind it.

CLIENT GATEWAY · PREVIEW
view as client ↗

{[['CRITICAL',2,'var(--accent)'],['HIGH',4,'var(--high)'],['MEDIUM',3,'var(--warn)'],['LOW/INFO',3,'var(--text-1)']].map((c,i)=>(

{c[0]}

{c[1]}

findings ready for client

))}

); } window.Suppressed = Suppressed; window.LogicCandidates = LogicCandidates; window.EvidenceVault = EvidenceVault; window.ReportDraft = ReportDraft;