@@ -29,32 +29,33 @@ Credenciais de teste: `test@prostaff.gg` / `Test123!@#`
2929
3030## Scripts — API (scripts/)
3131
32- | Script | Vetor | Destrutivo |
33- | --------------------------| -------------------------------------------------------| ----------------|
34- | 01_health_recon.sh | Info disclosure nos endpoints de health | Nao |
35- | 02_auth_fingerprint.sh | Fingerprint do sistema JWT + timing oracle | Nao |
36- | 03_jwt_attacks.sh | alg: none , RS256→HS256, claims tampering, token replay | Nao |
37- | 04_org_isolation.sh | IDOR + isolamento multi-tenant | Nao |
38- | 05_rbac_probe.sh | Privilege escalation + Pundit bypass | Nao |
39- | 06_rate_limit_probe.sh | Rack::Attack + bypass via X-Forwarded-For | Nao |
40- | 07_param_fuzzing.sh | SQLi, XSS, SSTI, type confusion, oversized payloads | Nao |
41- | 08_ssrf_probe.sh | SSRF via integracao Riot API | Nao |
42- | 09_export_injection.sh | CSV/Formula injection nos exports | Sim(cria player)|
43- | 10_websocket_probe.sh | Action Cable auth + IDOR de canal | Nao |
44- | 11_search_injection.sh | Meilisearch operators + cross-org search | Nao |
45- | 12_info_disclosure.sh | Rails routes expostos, headers, CORS, 500 stack traces| Nao |
46- | 13_nuclei_scan.sh | Templates customizados + headers/auth/Rails exposures | Nao |
47- | 14_httpx_recon.sh | Recon completo de paths e headers | Nao |
48- | 15_full_audit.sh | Roda todos os scripts em sequencia | opcional |
49- | 16_security_headers.sh | Checkers #1 -7, #10 , #13 -16 (HSTS, CSP, CORS) | Nao |
50- | 17_cookie_security.sh | Flags Secure/HttpOnly/SameSite, escopo, invalidacao | Nao |
51- | 18_content_security.sh | Server disclosure, Referrer-Policy, stack trace, cache| Nao |
52- | 19_info_disclosure.sh | .env, .git, swagger, info, sidekiq, logs, Gemfile | Nao |
53- | 20_dns_email_spoof.sh | SPF, DMARC, DKIM, MX, zone transfer AXFR, subtakeover | Nao |
54- | 22_race_conditions.sh | TOCTOU em registro, refresh tk cc, rate limit burst | Nao |
55- | 23_token_rotation.sh | Ciclo de vida do token: single-use, type confusion | Nao |
56- | 24_host_header.sh | Host header injection em pass reset, config.hosts | Nao |
57- | 25_mass_assignment.sh | Strong Param: role, org_id, puuid, plan escalation | Nao |
32+ | Script | Vetor | Destrutivo |
33+ | -----------------------------| -------------------------------------------------------| ----------------|
34+ | 01_health_recon.sh | Info disclosure nos endpoints de health | Nao |
35+ | 02_auth_fingerprint.sh | Fingerprint do sistema JWT + timing oracle | Nao |
36+ | 03_jwt_attacks.sh | alg: none , RS256→HS256, claims tampering, token replay | Nao |
37+ | 04_org_isolation.sh | IDOR + isolamento multi-tenant | Nao |
38+ | 05_rbac_probe.sh | Privilege escalation + Pundit bypass | Nao |
39+ | 06_rate_limit_probe.sh | Rack::Attack + bypass via X-Forwarded-For | Nao |
40+ | 07_param_fuzzing.sh | SQLi, XSS, SSTI, type confusion, oversized payloads | Nao |
41+ | 08_ssrf_probe.sh | SSRF via integracao Riot API | Nao |
42+ | 09_export_injection.sh | CSV/Formula injection nos exports | Sim(cria player)|
43+ | 10_websocket_probe.sh | Action Cable auth + IDOR de canal | Nao |
44+ | 11_search_injection.sh | Meilisearch operators + cross-org search | Nao |
45+ | 12_info_disclosure.sh | Rails routes expostos, headers, CORS, 500 stack traces| Nao |
46+ | 13_nuclei_scan.sh | Templates customizados + headers/auth/Rails exposures | Nao |
47+ | 14_httpx_recon.sh | Recon completo de paths e headers | Nao |
48+ | 15_full_audit.sh | Roda todos os scripts em sequencia | opcional |
49+ | 16_security_headers.sh | Checkers #1 -7, #10 , #13 -16 (HSTS, CSP, CORS) | Nao |
50+ | 17_cookie_security.sh | Flags Secure/HttpOnly/SameSite, escopo, invalidacao | Nao |
51+ | 18_content_security.sh | Server disclosure, Referrer-Policy, stack trace, cache| Nao |
52+ | 19_info_disclosure.sh | .env, .git, swagger, info, sidekiq, logs, Gemfile | Nao |
53+ | 20_dns_email_spoof.sh | SPF, DMARC, DKIM, MX, zone transfer AXFR, subtakeover | Nao |
54+ | 22_race_conditions.sh | TOCTOU em registro, refresh tk cc, rate limit burst | Nao |
55+ | 23_token_rotation.sh | Ciclo de vida do token: single-use, type confusion | Nao |
56+ | 24_host_header.sh | Host header injection em pass reset, config.hosts | Nao |
57+ | 25_mass_assignment.sh | Strong Param: role, org_id, puuid, plan escalation | Nao |
58+ | 27_supabase_direct_bypass.sh| Bypass da camada Rails via Supabase REST API direto | Nao |
5859
5960## Scripts — Frontend (front/)
6061
@@ -94,6 +95,9 @@ Todos os scripts de frontend aceitam o target como primeiro argumento:
9495./scripts/24_host_header.sh
9596./scripts/25_mass_assignment.sh
9697
98+ # Supabase layer (anon key do frontend como vetor)
99+ ./scripts/27_supabase_direct_bypass.sh
100+
97101# Auditoria completa frontend
98102./front/check-security-headers.sh
99103./front/check-cookies.sh
@@ -112,7 +116,8 @@ Todos os scripts de frontend aceitam o target como primeiro argumento:
1121166 . ` 10 ` → ` 11 ` (WebSocket e search)
1131177 . ` 12 ` → ` 13 ` → ` 14 ` (info disclosure e scan automatizado)
1141188 . ` 16 ` → ` 17 ` → ` 18 ` → ` 19 ` → ` 20 ` → ` 24 ` → ` 25 ` (headers, cookies, content, DNS, host header, mass assignment)
115- 9 . ` front/check-* ` (auditoria frontend)
119+ 9 . ` 27 ` (Supabase layer — bypass via anon key do frontend)
120+ 10 . ` front/check-* ` (auditoria frontend)
116121
117122## Relatorios
118123
@@ -126,14 +131,14 @@ Salvos em `reports/` com data no nome. Formato: `security-audit-YYYY-MM-DD.md`.
126131
127132### Historico de vulnerabilidades corrigidas
128133
129- | ID | Script | Severidade | Descricao | Correcao |
130- | --------| --------| ------------| ----------------------------------------------------------------------| ----------|
134+ | ID | Script | Severidade | Descricao & Correcao |
135+ | --------| --------| ------------| ----------------------------------------------------------------------------- ----------|
131136| JWT-01 | 23 | Medium | Refresh token aceito como access token (` type ` claim nao validado em ` authenticate_request! ` )
132137| | Adicionado ` valid_access_token_type? ` no concern ` Authenticatable `
133138| JWT-02 | 23 | Medium | Refresh token sobrevive ao logout (logout nao blacklistava o refresh token)
134139| | ` logout ` agora blacklista ` params[:refresh_token] ` se presente
135140| JWT-03 | 22 | Medium | TOCTOU no ` refresh_access_token ` (decode + blacklist nao atomicos ----- 2 sessoes paralelas possiveis)
136- | | ` TokenBlacklist.claim_for_rotation ` com Redis SET NX EX antes de gerar novos tokens |
141+ | | ` TokenBlacklist.claim_for_rotation ` com Redis SET NX EX antes de gerar novos tokens |
137142
138143
139144## Vetores principais (Rails/JWT)
0 commit comments