Pentest Mobile Pentest

FINDING-001 — [Mobile DAST] Dangerous permissions: android.permission.ACCESS_FINE_LOCATION, android.permission.READ_EXTERNAL_STORAGE, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.ACCESS_COARSE_LOCATION

android.permission.READ_EXTERNAL_STORAGE; android.permission.WRITE_EXTERNAL_STORAGE; android.permission.ACCESS_FINE_LOCATION; android.permission.ACCESS_COARSE_LOCATION

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com"

Potential unauthorized access or data exposure.

Audit AndroidManifest.xml and confirm each permission is required by actual app functionality. Remove any unused permissions. For ACCESS_FINE_LOCATION, downgrade to ACCESS_COARSE_LOCATION if precise GPS is not needed. Replace READ/WRITE_EXTERNAL_STORAGE with scoped storage APIs (MediaStore or SAF) as these are deprecated since API 30. Add <uses-permission> with android:maxSdkVersion where applicable.

FINDING-002 — [Mobile DAST] No Network Security Config — certificate pinning absent

issue=NetworkSecurityConfig not specified

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com"

Potential unauthorized access or data exposure.

Add a network_security_config.xml in res/xml and reference it in AndroidManifest.xml via android:networkSecurityConfig. Configure certificate pinning for all first-party API domains (at minimum api.apps.v2.altros-tech.com) with pin-set including a backup pin. Set cleartextTrafficPermitted=false. Example: <domain-config cleartextTrafficPermitted="false"><domain includeSubdomains="true">api.apps.v2.altros-tech.com</domain><pin-set><pin digest="SHA-256">BASE64_HASH</pin><pin digest="SHA-256">BACKUP_PIN</pin></pin-set></domain-config>.

FINDING-009 — [Mobile DAST] Missing security headers (7): HSTS (Strict-Transport-Security), X-Content-Type-Options, X-Frame-Options, Content-Security-Policy...

url=https://api.apps.v2.altros-tech.com

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com"

Potential unauthorized access or data exposure.

Configure nginx (or upstream reverse proxy) to add the following response headers on api.apps.v2.altros-tech.com: (1) Strict-Transport-Security: max-age=31536000; includeSubDomains — enforce HTTPS. (2) X-Content-Type-Options: nosniff — prevent MIME sniffing. (3) X-Frame-Options: DENY — prevent clickjacking (unless API responses are intentionally framed). (4) Content-Security-Policy: default-src 'none' — restrictive CSP appropriate for a JSON API. (5) Permissions-Policy: geolocation=(), camera=(), microphone=() — restrict browser features. (6) Referrer-Policy: strict-origin-when-cross-origin. (7) Cache-Control: no-store — for sensitive API responses. Add these in the nginx server block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

FINDING-010 — [Mobile DAST] Environment config (credentials, DB passwords): https://api.apps.v2.altros-tech.com/.env (HTTP 403)

path=/.env; status=403; preview=<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>
<!-- a padding to disable MSIE and Chr; url=https://api.apps.v2.altros-tech.com/.env

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/.env"

Potential unauthorized access or data exposure.

Immediate: Verify whether a .env file exists on disk at the web root. If it does, move it outside the web root or delete it from the server entirely (credentials should be in environment variables or a secrets manager, not in deployed files). Configure nginx to return 404 for all dot-files: location ~ /\. { return 404; }. This eliminates the information leak from 403-vs-404 differentiation. Long term: Audit deployment pipeline to ensure .env files are never copied to production web roots.

FINDING-011 — [Mobile DAST] Git repository exposed: https://api.apps.v2.altros-tech.com/.git/config (HTTP 403)

path=/.git/config; status=403; preview=<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>
<!-- a padding to disable MSIE and Chr; url=https://api.apps.v2.altros-tech.com/.git/config

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/.git/config"

Potential unauthorized access or data exposure.

Remove the .git directory entirely from the web root, or if that is not feasible, add a blanket deny rule in nginx: `location ~ /\.git { deny all; return 404; }`. Returning 404 instead of 403 avoids confirming the path exists. Verify no other dotfiles/.env are similarly exposed.

FINDING-012 — [Mobile DAST] Laravel Horizon queue dashboard: https://api.apps.v2.altros-tech.com/horizon (HTTP 401)

path=/horizon; status=401; preview=<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>
<!-- a paddi; url=https://api.apps.v2.altros-tech.com/horizon

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/horizon"

Potential unauthorized access or data exposure.

No immediate action required — authentication is enforced. As hardening measures: (1) restrict /horizon access by IP (e.g., allow only internal/VPN ranges in nginx), (2) ensure Horizon's HorizonServiceProvider gate() method restricts to authorized users only, (3) consider returning 404 instead of 401 to avoid endpoint discovery. Verify that Horizon auth cannot be brute-forced (rate limiting, strong credentials).

FINDING-014 — [Mobile DAST] Directory listing enabled on https://api.apps.v2.altros-tech.com/storage/ — 34 subdirs, 25719+ files exposed

path=/storage/; url=https://api.apps.v2.altros-tech.com/storage/; subdirs=34; total_files=25719

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/"

Potential unauthorized access or data exposure.

IMMEDIATE ACTION REQUIRED: (1) Disable directory listing in nginx: remove `autoindex on;` or add `autoindex off;` in the location block for /storage/. (2) Block direct public access to the storage directory entirely: `location /storage/ { deny all; return 404; }` or restrict to authenticated requests only. (3) Move sensitive files out of the web root to a non-publicly-accessible path and serve them through an application-level controller with proper authorization checks. (4) Audit access logs for the /storage/ path to determine if data has already been exfiltrated. (5) Consider moving file storage to a private S3 bucket or equivalent with pre-signed URL access.

FINDING-015 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/altros_certificate_file/ (39 files)

path=/storage/altros_certificate_file/; file_count=39; url=https://api.apps.v2.altros-tech.com/storage/altros_certificate_file/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/altros_certificate_file/"

Potential unauthorized access or data exposure.

Same remediation as finding 3 (root cause). Additionally: (1) Identify what certificate files are exposed — if they contain private keys, TLS certs, or customer identity documents, initiate incident response. (2) Rotate or revoke any exposed cryptographic certificates. (3) Notify affected parties if these are customer-facing certificates or identity documents. (4) Restrict this path immediately: `location /storage/altros_certificate_file/ { deny all; }` as a stopgap while the broader /storage/ fix is deployed.

FINDING-016 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/altros_certificate_image/ (39 files)

path=/storage/altros_certificate_image/; file_count=39; url=https://api.apps.v2.altros-tech.com/storage/altros_certificate_image/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/altros_certificate_image/"

Potential unauthorized access or data exposure.

Same remediation as finding 3 (root cause). Additionally: (1) Determine if certificate images contain PII (scanned IDs, notarized documents, etc.). (2) If customer PII is involved, assess data breach notification obligations under applicable regulations (GDPR, local data protection laws). (3) Apply immediate deny rule for this path as a stopgap.

FINDING-017 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/altros_document_pipeline/ (5024 files)

path=/storage/altros_document_pipeline/; file_count=5024; url=https://api.apps.v2.altros-tech.com/storage/altros_document_pipeline/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/altros_document_pipeline/"

Potential unauthorized access or data exposure.

Same remediation as finding 3 (root cause). Additionally: (1) Audit what document types exist in the pipeline directory — contracts, invoices, internal reports, customer submissions. (2) With 5024 files, automated exfiltration is trivial; check access logs for bulk download patterns. (3) If these are in-process documents, they may contain unredacted sensitive data that would normally go through review before external sharing.

FINDING-018 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/backup_unit/ (110 files)

path=/storage/backup_unit/; file_count=110; url=https://api.apps.v2.altros-tech.com/storage/backup_unit/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/backup_unit/"

Potential unauthorized access or data exposure.

Same remediation as finding 3 (root cause). HIGHEST URGENCY AMONG ALL FINDINGS for incident response: (1) Determine what is being backed up — if these are database dumps, application backups, or configuration backups, they likely contain credentials, API keys, and full data exports. (2) Rotate ALL credentials, API keys, and secrets that could be contained in any backup file. (3) Check if backup files contain database exports (.sql, .dump) which would expose the entire application dataset. (4) Apply immediate deny rule as stopgap.

FINDING-019 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/claims/ (7290 files)

path=/storage/claims/; file_count=7290; url=https://api.apps.v2.altros-tech.com/storage/claims/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/claims/"

Potential unauthorized access or data exposure.

Same remediation as finding 3 (root cause). Additionally: (1) Claims data is almost certainly protected under insurance/financial regulations — engage legal and compliance teams immediately. (2) With 7,290 files, this is the largest sensitive data exposure by count. (3) Determine if any claim documents contain health information (HIPAA), financial records, or PII, which would trigger specific breach notification requirements. (4) Preserve access logs for forensic analysis and potential regulatory reporting.

FINDING-020 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/customer/ (519 files)

path=/storage/customer/; file_count=519; url=https://api.apps.v2.altros-tech.com/storage/customer/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/customer/"

Potential unauthorized access or data exposure.

Same remediation as finding 3 (root cause). Additionally: (1) Customer data exposure is a direct PII breach — identify what customer information is in these files (IDs, contracts, personal documents). (2) Assess breach notification obligations under GDPR, CCPA, or applicable local regulations. (3) Prepare customer notification if required. (4) Apply immediate deny rule as stopgap.

FINDING-021 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/customer_document_pipeline/ (249 files)

path=/storage/customer_document_pipeline/; file_count=249; url=https://api.apps.v2.altros-tech.com/storage/customer_document_pipeline/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/customer_document_pipeline/"

Potential unauthorized access or data exposure.

1) Disable directory listing on the web server (Apache: `Options -Indexes`; Nginx: `autoindex off;`). 2) Move the `/storage/` directory outside the web root or block access via server config (`deny all` / `return 403`). 3) Serve files only through an authenticated application route that enforces authorization checks (e.g., a controller that validates the user owns the document before streaming it). 4) Audit access logs for bulk enumeration or exfiltration of these 249 files. 5) If this is a Laravel app, ensure `php artisan storage:link` only exposes the `public` disk, not sensitive subdirectories.

FINDING-022 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/delivery_order_file/ (1106 files)

path=/storage/delivery_order_file/; file_count=1106; url=https://api.apps.v2.altros-tech.com/storage/delivery_order_file/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/delivery_order_file/"

Potential unauthorized access or data exposure.

1) Immediately block public access to `/storage/delivery_order_file/` at the web server level. 2) Disable directory listing server-wide. 3) Route all file access through an authenticated, authorized application endpoint. 4) Audit access logs — 1106 files is a large dataset; check for signs of prior bulk download. 5) Rotate or regenerate any files that contain sensitive order data, customer addresses, or financial information.

FINDING-023 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/distribute_document_pipeline/ (150 files)

path=/storage/distribute_document_pipeline/; file_count=150; url=https://api.apps.v2.altros-tech.com/storage/distribute_document_pipeline/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/distribute_document_pipeline/"

Potential unauthorized access or data exposure.

1) Block public access to `/storage/distribute_document_pipeline/` via web server config. 2) Disable directory indexing. 3) Gate all document access behind authenticated application logic with per-document authorization. 4) Review the document distribution pipeline to ensure generated/staged files are not placed in publicly accessible paths.

FINDING-024 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/draf_claim/ (247 files)

path=/storage/draf_claim/; file_count=247; url=https://api.apps.v2.altros-tech.com/storage/draf_claim/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/draf_claim/"

Potential unauthorized access or data exposure.

1) Block access to `/storage/draf_claim/` immediately. 2) After remediation, consider consolidating contents into `/storage/draft_claim/` (Finding 4) and removing the misspelled directory to reduce attack surface. 3) Apply the same server-level access controls as all other `/storage/` subdirectories.

FINDING-025 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/draft_claim/ (3572 files)

path=/storage/draft_claim/; file_count=3572; url=https://api.apps.v2.altros-tech.com/storage/draft_claim/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/draft_claim/"

Potential unauthorized access or data exposure.

1) Highest priority — block access to `/storage/draft_claim/` immediately; this is the largest single exposure (3572 files). 2) Disable directory listing server-wide. 3) Audit access logs for evidence of bulk scraping or enumeration against this path. 4) Implement application-level access control so only the claim owner/handler can access their draft. 5) Consider moving draft storage to a non-web-accessible backend (e.g., S3 with signed URLs, or a path outside the document root).

FINDING-026 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/exports/ (0 files)

path=/storage/exports/; file_count=0; url=https://api.apps.v2.altros-tech.com/storage/exports/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/exports/"

Potential unauthorized access or data exposure.

1) Block public access to `/storage/exports/` — even though currently empty, exports are often generated on-demand and could contain bulk data dumps (CSV/Excel reports, user lists, financial summaries). 2) Disable directory listing. 3) Ensure export files are written to a non-web-accessible path or are auto-purged after download.

FINDING-027 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/installation_document/ (2 files)

path=/storage/installation_document/; file_count=2; url=https://api.apps.v2.altros-tech.com/storage/installation_document/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/installation_document/"

Potential unauthorized access or data exposure.

1) Block public access to `/storage/installation_document/`. 2) Determine the sensitivity of the 2 exposed files — if they contain infrastructure details, credentials, or deployment configs, treat as a critical incident. 3) Apply consistent access controls across all `/storage/` subdirectories.

FINDING-028 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/invoice_file/ (2 files)

path=/storage/invoice_file/; file_count=2; url=https://api.apps.v2.altros-tech.com/storage/invoice_file/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/invoice_file/"

Potential unauthorized access or data exposure.

1) Block access to `/storage/invoice_file/` immediately. 2) Even with only 2 files, invoices contain financial data, company details, tax IDs, and potentially payment terms — assess breach notification requirements. 3) Ensure all invoice generation/storage uses non-web-accessible paths with authenticated download endpoints.

FINDING-029 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/pnl_document/ (20 files)

path=/storage/pnl_document/; file_count=20; url=https://api.apps.v2.altros-tech.com/storage/pnl_document/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/pnl_document/"

Potential unauthorized access or data exposure.

1) Block access to `/storage/pnl_document/` immediately. 2) P&L documents are highly confidential financial records — assess whether any exposed documents relate to non-public financial data that could create legal/regulatory liability. 3) Notify finance/legal teams of the exposure. 4) Audit access logs for unauthorized downloads of these 20 files.

FINDING-030 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/profile/ (23 files)

path=/storage/profile/; file_count=23; url=https://api.apps.v2.altros-tech.com/storage/profile/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/profile/"

Potential unauthorized access or data exposure.

1) Block access to `/storage/profile/` immediately. 2) Profile data likely contains user photos, identity documents, or personal information — assess PII exposure scope. 3) Implement authenticated, per-user access controls so profiles are only accessible to the owning user and authorized admins. 4) If profile images/documents are needed publicly, serve them through a CDN with signed, expiring URLs rather than direct filesystem access.

FINDING-031 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/purchase_order_file/ (7 files)

path=/storage/purchase_order_file/; file_count=7; url=https://api.apps.v2.altros-tech.com/storage/purchase_order_file/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/purchase_order_file/"

Potential unauthorized access or data exposure.

FINDING-032 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/report_activity/ (4705 files)

path=/storage/report_activity/; file_count=4705; url=https://api.apps.v2.altros-tech.com/storage/report_activity/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/report_activity/"

Potential unauthorized access or data exposure.

FINDING-033 — [Mobile DAST] Sensitive directory exposed: https://api.apps.v2.altros-tech.com/storage/report_activty/ (2326 files)

path=/storage/report_activty/; file_count=2326; url=https://api.apps.v2.altros-tech.com/storage/report_activty/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/report_activty/"

Potential unauthorized access or data exposure.

FINDING-034 — [Mobile DAST] Credentials in logcat-discovered path: https://npms.io/storage/profile/fPFsNeAawNZHy1vK9rcND4CUgHlC0JAIdxd8ZvWt.jpg

path=/storage/profile/fPFsNeAawNZHy1vK9rcND4CUgHlC0JAIdxd8ZvWt.jpg; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/storage/profile/fPFsNeAawNZHy1vK9rcND4CUgHlC0JAIdxd8ZvWt.jpg

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/storage/profile/fPFsNeAawNZHy1vK9rcND4CUgHlC0JAIdxd8ZvWt.jpg"

Potential unauthorized access or data exposure.

FINDING-035 — [Mobile DAST] Credentials in logcat-discovered path: https://api.apps.v2.altros-tech.com/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt

path=/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt; preview=https://idsmtp6.idcloudhosting.com/interface/root

https://cms.altros-tech.com/calender-activity

VMWare Esxi
10.1.1.220
root
P@ssword@123

vpn kantor zero tier
token : 856127940cae3bc3

J; url=https://api.apps.v2.altros-tech.com/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://api.apps.v2.altros-tech.com/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt"

Potential unauthorized access or data exposure.

FINDING-036 — [Mobile DAST] Credentials in logcat-discovered path: https://npms.io/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt

path=/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/storage/profile/2025-09-30/KvX5X9AIQQTiffdaayJr9qGR39zOjuGWyOo0OgjI.txt"

Potential unauthorized access or data exposure.

FINDING-037 — [Mobile DAST] CORS wildcard (*) on https://ocpp-local.altros-tech.com

header=Access-Control-Allow-Origin: *; url=https://ocpp-local.altros-tech.com

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://ocpp-local.altros-tech.com"

Potential unauthorized access or data exposure.

FINDING-038 — [Mobile DAST] Missing security headers (5): HSTS (Strict-Transport-Security), X-Frame-Options, X-XSS-Protection, Referrer-Policy...

url=https://ocpp-local.altros-tech.com

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://ocpp-local.altros-tech.com"

Potential unauthorized access or data exposure.

FINDING-039 — [Mobile DAST] CORS wildcard (*) on https://staging-chat.altros-tech.com

header=Access-Control-Allow-Origin: *; url=https://staging-chat.altros-tech.com

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://staging-chat.altros-tech.com"

Potential unauthorized access or data exposure.

FINDING-040 — [Mobile DAST] Missing security headers (7): HSTS (Strict-Transport-Security), X-Content-Type-Options, X-Frame-Options, Content-Security-Policy...

url=https://staging-chat.altros-tech.com

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://staging-chat.altros-tech.com"

Potential unauthorized access or data exposure.

FINDING-041 — [Mobile DAST] Environment config (credentials, DB passwords): https://staging-chat.altros-tech.com/.env (HTTP 403)

path=/.env; status=403; preview=<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>
<!-- a padding to disable MSIE and Chr; url=https://staging-chat.altros-tech.com/.env

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://staging-chat.altros-tech.com/.env"

Potential unauthorized access or data exposure.

Return HTTP 404 instead of 403 for sensitive paths like /.env to avoid confirming file existence. Add a blanket deny rule in nginx: `location ~ /\. { return 404; }`. Verify the .env file is not present in the web root at all; if it is, remove it and manage secrets via environment variables or a vault.

FINDING-042 — [Mobile DAST] Git repository exposed: https://staging-chat.altros-tech.com/.git/config (HTTP 403)

path=/.git/config; status=403; preview=<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>
<!-- a padding to disable MSIE and Chr; url=https://staging-chat.altros-tech.com/.git/config

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://staging-chat.altros-tech.com/.git/config"

Potential unauthorized access or data exposure.

Return HTTP 404 instead of 403 for .git paths. Add nginx rule: `location ~ /\.git { return 404; }`. Ensure .git directories are not deployed to web-accessible locations. If using CI/CD, confirm the build/deploy pipeline strips .git before deploying.

FINDING-051 — [Mobile DAST] Apache server info: https://npms.io/server-info (HTTP 200)

path=/server-info; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/server-info

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/server-info"

Potential unauthorized access or data exposure.

No remediation needed. Tune the scanner to validate response body content, not just HTTP status codes. Also investigate why the scanner targeted npms.io instead of the in-scope target api.apps.v2.altros-tech.com.

FINDING-052 — [Mobile DAST] Adminer database manager: https://npms.io/adminer.php (HTTP 200)

path=/adminer.php; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/adminer.php

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/adminer.php"

Potential unauthorized access or data exposure.

No remediation needed. Scanner must validate response body for Adminer-specific markers (e.g., Adminer login form, 'adminer.css', database selector elements) rather than relying solely on HTTP 200 status.

FINDING-053 — [Mobile DAST] phpMyAdmin exposed: https://npms.io/phpmyadmin/ (HTTP 200)

path=/phpmyadmin/; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/phpmyadmin/

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/phpmyadmin/"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should check for phpMyAdmin-specific indicators in the response (e.g., 'phpMyAdmin', PMA_commonParams, pmahomme theme CSS) before flagging.

FINDING-054 — [Mobile DAST] Laravel Telescope debug dashboard: https://npms.io/telescope (HTTP 200)

path=/telescope; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/telescope

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/telescope"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should validate for Telescope-specific content (e.g., 'Laravel Telescope', telescope-app Vue components, /telescope/api/* endpoints).

FINDING-055 — [Mobile DAST] Laravel Horizon queue dashboard: https://npms.io/horizon (HTTP 200)

path=/horizon; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/horizon

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/horizon"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should look for Horizon-specific markers (e.g., 'Laravel Horizon', horizon dashboard CSS/JS, Redis queue metrics).

FINDING-056 — [Mobile DAST] Laravel Debugbar: https://npms.io/_debugbar (HTTP 200)

path=/_debugbar; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/_debugbar

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/_debugbar"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should validate for Debugbar-specific JSON output or the Debugbar widget HTML/JS before flagging.

FINDING-057 — [Mobile DAST] Laravel Nova admin panel: https://npms.io/nova (HTTP 200)

path=/nova; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/nova

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/nova"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should check for Nova-specific indicators (e.g., 'Laravel Nova', Nova login form, inertia.js Nova app shell).

FINDING-058 — [Mobile DAST] Laravel Filament admin panel: https://npms.io/filament (HTTP 200)

path=/filament; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/filament

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/filament"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should validate for Filament-specific content (e.g., 'Filament', Livewire components, Filament admin login form).

FINDING-059 — [Mobile DAST] API documentation exposed: https://npms.io/api/documentation (HTTP 200)

path=/api/documentation; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/api/documentation

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/api/documentation"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should verify the response contains actual API documentation content (Swagger UI HTML, ReDoc, or structured API reference markup) rather than just a 200 on the path.

FINDING-060 — [Mobile DAST] Swagger API spec exposed: https://npms.io/swagger.json (HTTP 200)

path=/swagger.json; status=200; preview=<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>npms</title> <meta name="description" content="npms was built to empower the j; url=https://npms.io/swagger.json

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://npms.io/swagger.json"

Potential unauthorized access or data exposure.

No remediation needed. Scanner should validate Content-Type is application/json and that the body parses as valid Swagger/OpenAPI JSON before flagging.

FINDING-075 — [Mobile DAST] CORS wildcard (*) on http://staging-chat.altros-tech.com

header=Access-Control-Allow-Origin: *; url=http://staging-chat.altros-tech.com

Run this command to independently verify this finding:

curl -sS -k -v \
  "http://staging-chat.altros-tech.com"

Potential unauthorized access or data exposure.

1. Replace the wildcard CORS header with an explicit allowlist of trusted origins (e.g., your frontend domains). 2. Implement origin validation server-side — reflect only whitelisted origins in Access-Control-Allow-Origin. 3. Ensure Access-Control-Allow-Credentials is NOT set alongside the wildcard (browsers block this, but misconfiguration here signals deeper issues). 4. Enforce HTTPS — the service is responding on plain HTTP, so also add a redirect to HTTPS and set HSTS.

FINDING-076 — [Mobile DAST] Missing security headers (7): HSTS (Strict-Transport-Security), X-Content-Type-Options, X-Frame-Options, Content-Security-Policy...

url=http://staging-chat.altros-tech.com

Run this command to independently verify this finding:

curl -sS -k -v \
  "http://staging-chat.altros-tech.com"

Potential unauthorized access or data exposure.

Add the following headers in the nginx configuration for staging-chat.altros-tech.com: 1. Strict-Transport-Security: max-age=31536000; includeSubDomains (and enforce HTTPS redirect first). 2. X-Content-Type-Options: nosniff. 3. X-Frame-Options: DENY (or SAMEORIGIN if framing is needed). 4. Content-Security-Policy: default-src 'self' (tune as needed). 5. Permissions-Policy: camera=(), microphone=(), geolocation=() (restrict as appropriate). 6. Referrer-Policy: strict-origin-when-cross-origin. 7. Apply the same header set to production if not already present.

FINDING-077 — [Mobile DAST] Environment config (credentials, DB passwords): http://staging-chat.altros-tech.com/.env (HTTP 403)

path=/.env; status=403; preview=<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>
<!-- a padding to disable MSIE and Chr; url=http://staging-chat.altros-tech.com/.env

Run this command to independently verify this finding:

curl -sS -k -v \
  "http://staging-chat.altros-tech.com/.env"

Potential unauthorized access or data exposure.

1. Verify manually: curl -v http://staging-chat.altros-tech.com/.env and confirm 403 (not 200). 2. Even though blocked, delete .env from the web root or move it outside the document root entirely. 3. Add a blanket deny rule in nginx for dotfiles: location ~ /\. { deny all; return 404; } — return 404 instead of 403 to avoid confirming file existence. 4. Remove the nginx server version from the error page (server_tokens off;). 5. Check that the .env file is not in a publicly accessible backup or VCS snapshot.

FINDING-078 — [Mobile DAST] Git repository exposed: http://staging-chat.altros-tech.com/.git/config (HTTP 403)

path=/.git/config; status=403; preview=<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>
<!-- a padding to disable MSIE and Chr; url=http://staging-chat.altros-tech.com/.git/config

Run this command to independently verify this finding:

curl -sS -k -v \
  "http://staging-chat.altros-tech.com/.git/config"

Potential unauthorized access or data exposure.

1. Verify manually: test for common bypasses — curl http://staging-chat.altros-tech.com/.git/HEAD, /.git/index, /.git/COMMIT_EDITMSG, /.git/packed-refs, /.git/refs/heads/main. Some nginx configs block /.git/config specifically but not the entire .git/ directory tree. 2. If any .git sub-path returns 200, the full repository can be reconstructed using tools like git-dumper. 3. Remove the .git directory from the web root entirely, or add a blanket nginx rule: location ~ /\.git { deny all; return 404; }. 4. Return 404 instead of 403 to avoid confirming existence.

FINDING-081 — [Mobile DAST] [Deep Test: auth_bypass] /horizon — Method override accepted via X-HTTP-Method-Override

url=https://docs.swmansion.com/horizon; test_type=auth_bypass; status=404; response_size=

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://docs.swmansion.com/horizon"

Potential unauthorized access or data exposure.

No remediation required. Tune the DAST scanner to exclude off-target domains and require a meaningful status-code delta (e.g., 401→200) before flagging method-override bypass.

FINDING-082 — [Mobile DAST] [Deep Test: auth_bypass] /horizon — Method override accepted via X-Method-Override

url=https://docs.swmansion.com/horizon; test_type=auth_bypass; status=404; response_size=

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://docs.swmansion.com/horizon"

Potential unauthorized access or data exposure.

No remediation required. This is a duplicate of finding [0] using the X-Method-Override header variant against the same off-target endpoint. Deduplicate in the scanner by grouping method-override header variants per endpoint.

FINDING-083 — [Mobile DAST] [Deep Test: auth_bypass] /storage/backup_unit/ — Method override accepted via X-HTTP-Method-Override

url=https://docs.swmansion.com/storage/backup_unit/; test_type=auth_bypass; status=404; response_size=

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://docs.swmansion.com/storage/backup_unit/"

Potential unauthorized access or data exposure.

No remediation required. Restrict DAST scan scope to the target domain (api.apps.v2.altros-tech.com) and add validation rules requiring a status-code differential between baseline and override requests before raising method-override findings.

FINDING-084 — [Mobile DAST] [Deep Test: auth_bypass] /storage/backup_unit/ — Method override accepted via X-Method-Override

url=https://docs.swmansion.com/storage/backup_unit/; test_type=auth_bypass; status=404; response_size=

Run this command to independently verify this finding:

curl -sS -k -v \
  "https://docs.swmansion.com/storage/backup_unit/"

Potential unauthorized access or data exposure.

No remediation required. Duplicate of finding [2] with X-Method-Override header variant. Recommend scanner tuning: (a) enforce target-scope validation, (b) require baseline vs. override response comparison, (c) deduplicate across header variants per endpoint.

Testing Standards

• OWASP Testing Guide v4.2 — Web application security
• PTES — Penetration Testing Execution Standard
• NIST SP 800-115 — Technical Guide to Information Security Testing
• ISO 27001:2022 — Information Security Management

Scoring & Classification

• CVSS v3.1 — Common Vulnerability Scoring System
• CWE — Common Weakness Enumeration
• OWASP Top 10:2021 — Web Application Risks
• MITRE ATT&CK v15 — Adversarial Tactics, Techniques & Common Knowledge. All findings mapped to ATT&CK techniques for threat intelligence correlation.