🛡 Security Assessment Report

Company E — Passive Recon & Security Audit Scope: company-e.example.com, company-e-crm.example.com, company-e-monitor.example.com, company-e-dialer.example.com & subdomains

Date: March 11, 2026
Type: Passive Reconnaissance / OSINT
Authorization: Owner Authorized
Methodology: OWASP / PTES

📋 Executive Summary

A passive security assessment was conducted against Company E's public-facing infrastructure across 4 primary domains and 6+ discovered subdomains. The assessment revealed significant security gaps including exposed development environments, missing security headers, email spoofing vulnerabilities, API-level user enumeration, internal architecture disclosure, and server technology information leakage. No active exploitation was performed.

5
Critical
7
High
7
Medium
4
Low
6
Informational

🌍 Attack Surface Mapping

AssetIP AddressServerTechnologyHosting
company-e.example.com 10.0.5.1 Apache/2.4.58 (Ubuntu) Node.js + Express (SPA) Hosting Provider / Hosting Provider
company-e-crm.example.com 10.0.5.2 Microsoft-IIS/10.0 ASP.NET MVC 5.3, .NET 4.0 Windows IIS
company-e-monitor.example.com 10.0.5.3 Microsoft-IIS/10.0 ASP.NET MVC 5.2, .NET 4.0 SecureHostDNS
company-e-dialer.example.com 10.0.5.1 Kestrel .NET Core / .NET 5+ Hosting Provider (shared w/ main)
dev.company-e.example.com 10.0.5.4 Microsoft-IIS/10.0 ASP.NET MVC 5.3, .NET 4.0 SecureHostDNS
old.company-e.example.com 10.0.5.4 Microsoft-IIS/10.0 ASP.NET MVC 5.2, .NET 4.0 SecureHostDNS (same as dev)
new.company-e.example.com 10.0.5.5 - - -
newvs.company-e.example.com 10.0.5.6 - - Azure
mail.company-e.example.com 10.0.5.7 - Mail server -
variableconsultancy.com 10.0.5.3 Microsoft-IIS/10.0 ASP.NET MVC 5.2 Same as WHM

🚨 Critical Findings

CRITICAL

C-01: Development Environment Publicly Exposed with Login/Register

Affected: dev.company-e.example.com

Description: The development/staging instance of VSCRM is fully accessible on the public internet with active login and registration pages. This is the CRM application's dev build running on IIS/10.0 with ASP.NET MVC 5.3.

# Accessible endpoints on dev.company-e.example.com /Account/Login HTTP 200 ← Login page live /Account/Register HTTP 200 ← Anyone can register! /Account/ForgotPassword HTTP 200 ← Password reset exposed /Admin HTTP 200 ← Admin panel accessible /Error HTTP 200
Impact: Attackers can register accounts on the dev environment, potentially access test data, exploit unpatched dev-only features, or use it as a pivot point. Dev environments often have weaker security controls, debug modes enabled, and may share databases or credentials with production.

✅ Remediation

  • Immediately restrict dev.company-e.example.com behind VPN or IP whitelist
  • Add HTTP Basic Auth or client certificate requirement
  • Remove DNS record if the subdomain is not actively needed
  • Audit any accounts created by unknown parties
CRITICAL

C-02: Dev Environment Served Over Plain HTTP (No TLS Enforcement)

Affected: dev.company-e.example.com

Description: Unlike all other domains which properly redirect HTTP to HTTPS, dev.company-e.example.com serves its full application (including login page) over unencrypted HTTP with no redirect to HTTPS.

# HTTP request - NO redirect, serves full page! $ curl -sI http://dev.company-e.example.com/ HTTP/1.1 200 OK ← Serves content over plain HTTP! Server: Microsoft-IIS/10.0 Set-Cookie: ASP.NET_SessionId=...; path=/; HttpOnly; SameSite=Lax Set-Cookie: __RequestVerificationToken=...; path=/; HttpOnly ← NO Secure flag on cookies! Sent in cleartext! # Compare with production (correct behavior): $ curl -sI http://company-e.example.com/ HTTP/1.1 301 Moved Permanently ← Correctly redirects to HTTPS
Impact: Credentials, session cookies, and CSRF tokens transmitted in cleartext. Any network observer (WiFi, ISP, MITM) can intercept login credentials and session tokens. Anti-CSRF tokens are also exposed, defeating CSRF protection entirely.

✅ Remediation

  • Configure IIS URL Rewrite to force HTTPS redirect
  • Add HSTS header (Strict-Transport-Security)
  • Set Secure flag on ALL cookies
CRITICAL

C-03: Wildcard CORS (Access-Control-Allow-Origin: *) on Authenticated Apps

Affected: company-e-crm.example.com dev.company-e.example.com old.company-e.example.com

Description: The CRM application and dev environments return Access-Control-Allow-Origin: * which allows any website on the internet to make cross-origin requests to these applications.

# Response headers from company-e-crm.example.com (production CRM!) access-control-allow-origin: * ← ANY origin allowed x-frame-options: AllowAll ← Can be framed by any site # Tested with malicious origin: $ curl -sI -H "Origin: https://evil.com" https://company-e-crm.example.com/Account/Login access-control-allow-origin: * ← Reflects wildcard even for evil origin
Impact: Combined with X-Frame-Options: AllowAll, this enables potential cross-origin data theft and clickjacking attacks against logged-in CRM users. A malicious website could embed the CRM in an iframe and potentially steal data or trick users into performing actions.

✅ Remediation

  • Replace Access-Control-Allow-Origin: * with specific allowed origins
  • Change X-Frame-Options: AllowAll to DENY or SAMEORIGIN
  • Implement Content-Security-Policy with frame-ancestors directive
CRITICAL

C-04: VSCRM API User Enumeration & Data Model Exposure (No Rate Limiting)

Affected: company-e-crm.example.com (Production CRM)

Description: The VSCRM login API at /api/Login is publicly accessible and returns detailed JSON responses that: (1) confirm whether a username exists, (2) reveal the complete internal data model with 16+ field names, and (3) has NO rate limiting — allowing unlimited brute-force attempts.

# POST /api/Login with invalid credentials returns: { "status": 0, "message": "Invalid username", ← User enumeration! Different msg for valid/invalid users "SessionId": null, "UserName": null, "ImageUrl": null, ← Reveals user profile picture field "Email": null, "FirebaseTokenId": null, ← Firebase integration exposed "IsCompanyHaveIpBasedAuthentication": false, ← Security config leaked "IsIpValid": false, "MachineIp": null, ← IP tracking field revealed "CompanyGuId": null, ← Company GUID structure exposed "UserType": 0, ← User role system exposed "additionalFeatures": 0, "IsTrackingAllow": false, ← Tracking config exposed "IsSelfieRequired": false, ← Selfie auth feature exposed "CheckListRights": false, "IsDateRangeCalendarDisplay": false } # NO RATE LIMITING - 5 rapid requests all returned HTTP 200: Request 1 -> HTTP 200 Request 2 -> HTTP 200 Request 3 -> HTTP 200 Request 4 -> HTTP 200 Request 5 -> HTTP 200 ← No throttling, no CAPTCHA, no lockout!
Impact: An attacker can: (1) Enumerate valid usernames across all 2,500+ client companies by brute-forcing the API, (2) Perform credential stuffing attacks with no rate limit, (3) Use the exposed data model to craft targeted attacks against the CRM. The leaked fields reveal Firebase integration, IP-based authentication, selfie verification, and company GUID structure — all valuable for further exploitation.

✅ Remediation

  • Immediate: Return generic "Invalid credentials" for both wrong username and wrong password
  • Immediate: Implement rate limiting (e.g., 5 attempts per minute per IP)
  • Immediate: Strip all null fields from error response — return only {"status":0,"message":"Invalid credentials"}
  • Add CAPTCHA after 3 failed attempts
  • Implement account lockout after N failed attempts
  • Add monitoring/alerting for brute-force patterns
CRITICAL

C-05: Internal Application Architecture Fully Enumerable via Error Messages

Affected: dev.company-e.example.com (and maps directly to production architecture)

Description: The dev environment returns verbose error messages that reveal the full internal namespace, controller names, and application structure of the VSCRM application. Combined with open registration (C-01), this gives attackers a complete blueprint of the application.

# Confirmed Controllers & Namespaces (via error messages): VSCrm.Controllers.LeadsController /Leads VSCrm.Controllers.ContactController /Contact VSCrm.Controllers.AdminController /Admin VSCrm.Controllers.TasksController /Tasks VSCrm.Controllers.NotificationController /Notification VSCrm.Controllers.InvoiceController /Invoice VSCrm.Controllers.EmailController /Email VSCrm.Controllers.WhatsAppController /WhatsApp # Auth-protected routes (confirmed via login redirect): /Campaign → 302 to /Account/Login?reasonOfLogout=UnAuthorize%20Request # Error message format: "A public action method 'Home' was not found on controller 'VSCrm.Controllers.LeadsController'." # ^ Reveals: namespace (VSCrm), controller name, that 'Home' action doesn't exist
Impact: Attackers now know the exact MVC controller structure, namespace convention (VSCrm.Controllers), and can map the entire application. This significantly reduces the effort needed for targeted attacks like parameter tampering, IDOR, and privilege escalation. The logout reason parameter ("UnAuthorize Request") also suggests custom auth implementation that may have bypass vulnerabilities.

✅ Remediation

  • Disable verbose error messages: set <customErrors mode="On"> in web.config
  • Return generic error page for all unhandled exceptions
  • Never expose controller names, namespaces, or action methods in error output
  • Restrict dev.company-e.example.com (see C-01)

⚠️ High Severity Findings

HIGH

H-01: Missing DMARC Records - Email Spoofing Possible

Affected: company-e.example.com company-e-crm.example.com company-e-dialer.example.com

Description: Three of four domains have NO DMARC record. The fourth (company-e-monitor.example.com) has DMARC with p=none which only monitors but does not reject spoofed emails.

# DMARC lookup results: $ host -t TXT _dmarc.company-e.example.com NXDOMAIN ← NO DMARC! $ host -t TXT _dmarc.company-e-crm.example.com NXDOMAIN ← NO DMARC! $ host -t TXT _dmarc.company-e-dialer.example.com NXDOMAIN ← NO DMARC! $ host -t TXT _dmarc.company-e-monitor.example.com v=DMARC1; p=none; ← Policy set to NONE (monitoring only)
Impact: Attackers can send emails that appear to come from @company-e.example.com, @company-e-crm.example.com, or @company-e-dialer.example.com. This enables phishing attacks against customers, partners, and employees. Particularly dangerous for company-e-crm.example.com since CRM customers trust emails from this domain.

✅ Remediation

  • Add DMARC records: _dmarc.domain.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@company-e.example.com"
  • Progress to p=reject after monitoring period
  • Configure DKIM signing for all mail sources
  • Upgrade company-e-monitor.example.com DMARC from p=none to p=quarantine
HIGH

H-02: SPF Softfail (~all) on 3 Domains

Affected: company-e-crm.example.com company-e-monitor.example.com company-e-dialer.example.com

# SPF records: company-e.example.com: v=spf1 include:spf.protection.outlook.com -all ← HARDFAIL (GOOD) company-e-crm.example.com: v=spf1 include:_spf.mlsend.com include:zoho.in ~all ← SOFTFAIL company-e-monitor.example.com: v=spf1 include:zoho.in ~all ← SOFTFAIL company-e-dialer.example.com: v=spf1 include:_spf.mlsend.com ... ~all ← SOFTFAIL

Additional Issue: company-e-monitor.example.com has DUPLICATE SPF records (two TXT records with v=spf1). Per RFC 7208, this makes SPF evaluation result in PermError, effectively disabling SPF entirely.

✅ Remediation

  • Change ~all to -all on all domains
  • Merge duplicate SPF records on company-e-monitor.example.com into one
HIGH

H-03: No DKIM Records Found on Any Domain

Affected: All domains

No DKIM selector records were found for any standard selector names (default, google, zoho, selector1, selector2). Without DKIM, email authenticity cannot be cryptographically verified.

✅ Remediation

  • Configure DKIM signing in Outlook/Zoho/MailerLite admin panels
  • Publish corresponding DKIM public keys in DNS
HIGH

H-04: Legacy ASP.NET (4.0.30319) / MVC 5.x in Production

Affected: company-e-crm.example.com company-e-monitor.example.com dev.company-e.example.com old.company-e.example.com

.NET Framework 4.0 (version 4.0.30319) and ASP.NET MVC 5.x are legacy frameworks. .NET Framework 4.0 reached end of support. These versions have known CVEs and no longer receive security patches.

# Leaked version headers: x-aspnet-version: 4.0.30319 ← Legacy .NET Framework x-aspnetmvc-version: 5.3 ← Legacy MVC x-powered-by: ASP.NET server: Microsoft-IIS/10.0

✅ Remediation

  • Migrate to .NET 8+ (LTS) with ASP.NET Core
  • Immediately suppress version headers (see M-01 below)
  • Note: company-e-dialer.example.com already uses Kestrel/.NET Core - good!
HIGH

H-05: Old/Legacy Application Instance Publicly Accessible

Affected: old.company-e.example.com

An older version of the application (ASP.NET MVC 5.2 vs current 5.3) is publicly accessible with login functionality. Legacy instances typically have unpatched vulnerabilities and may contain outdated dependencies.

old.company-e.example.com /Account/Login HTTP 200 ← Active login page /Error HTTP 200 Access-Control-Allow-Origin: * # No HSTS, no Secure cookies, no CSP

✅ Remediation

  • Decommission old.company-e.example.com or restrict behind VPN
  • Remove DNS A record if no longer needed
HIGH

H-06: SignalR Hub Exposed on Production & Dev - Real-Time Method Enumeration

Affected: company-e-crm.example.com dev.company-e.example.com

Description: The SignalR hubs JavaScript proxy file at /signalr/hubs is publicly accessible on both production and dev, revealing all real-time server methods and the notification/calling system architecture.

# Exposed SignalR Hub: 'notificationHub' # Server-side methods revealed: AcceptCall ← Call management method GetNotification ← Notification retrieval InitiateOutboundCall ← Outbound calling method PreAcceptCall ← Pre-call acceptance RejectCall ← Call rejection SendNotification ← Push notification method TerminateCall ← Call termination # SignalR version: 2.4.3 (revealed in hub script)
Impact: Exposes the real-time communication architecture. An attacker who gains authentication could invoke these methods to: manipulate calls, send fake notifications, or disrupt the CRM's calling system for any connected user. SignalR 2.4.3 is also an older version with known issues.

✅ Remediation

  • Require authentication to access /signalr/hubs endpoint
  • Add server-side authorization checks on all hub methods
  • Upgrade SignalR to latest version
HIGH

H-07: WHM Returns HTTP 200 for Sensitive Path Names (Catch-All Route Misconfiguration)

Affected: company-e-monitor.example.com

Description: Work Hour Monitor returns HTTP 200 (instead of 404) for sensitive paths like /backup, /uploads, /data, /export, /download, /files, /temp, /tmp. While the response body is a generic error page, the HTTP 200 status code indicates these routes exist in the application routing table.

# Paths returning HTTP 200 (should return 404): /backup HTTP 200 /Content/data HTTP 200 /data HTTP 200 /export HTTP 200 /download HTTP 200 /files HTTP 200 /uploads HTTP 200 /temp HTTP 200 /tmp HTTP 200 /BundleConfig HTTP 200 # /Admin returns HTTP 500 - unhandled exception! /Admin HTTP 500 ← Server error reveals admin route exists
Impact: While content is not currently directly exposed, the routing configuration confirms these paths are handled by the application. The /Admin 500 error suggests an admin panel exists but crashes without authentication. If authorization is ever misconfigured, these routes could expose backups, user data, uploads (including screenshots from employee monitoring), and temporary files.

✅ Remediation

  • Return proper 404 for non-existent or unauthorized routes
  • Fix the /Admin 500 error to return 401/403 instead
  • Audit route configuration to remove catch-all routes for sensitive paths
  • Ensure /uploads, /backup, /data directories are not web-accessible

🟡 Medium Severity Findings

MEDIUM

M-01: Server & Framework Version Disclosure

Affected: All domains

Every domain leaks exact server software and framework versions in HTTP response headers, enabling targeted attacks.

# Headers leaking version information: Server: Apache/2.4.58 (Ubuntu) # company-e.example.com Server: Microsoft-IIS/10.0 # company-e-crm.example.com, WHM, dev, old Server: Kestrel # company-e-dialer.example.com X-Powered-By: Express # company-e.example.com X-Powered-By: ASP.NET # WHM X-AspNet-Version: 4.0.30319 # company-e-crm.example.com, WHM, dev, old X-AspNetMvc-Version: 5.2 / 5.3 # company-e-crm.example.com, WHM, dev, old

✅ Remediation

  • IIS: Add <requestFiltering removeServerHeader="true"/> in web.config
  • Remove X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version headers
  • Apache: Set ServerTokens Prod and ServerSignature Off
  • Express: Use helmet middleware or app.disable('x-powered-by')
MEDIUM

M-02: Missing Security Headers Across All Domains

Affected: All domains

Headercompany-e.example.comcompany-e-crm.example.comWHMcompany-e-dialer.example.comdev.old.
Content-Security-Policy Missing Missing Missing Missing Missing Missing
X-Content-Type-Options Missing Missing Missing Missing Missing Missing
X-Frame-Options Missing AllowAll Missing Missing AllowAll Missing
Strict-Transport-Security Missing ✓ Present Missing Missing Missing Missing
Referrer-Policy Missing Missing Missing Missing Missing Missing
Permissions-Policy Missing Missing Missing Missing Missing Missing

Note: X-Frame-Options: AllowAll is worse than missing — it explicitly permits framing from any origin, enabling clickjacking.

✅ Remediation

  • Add all standard security headers via web server config or middleware
  • Minimum recommended: CSP, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, HSTS, Referrer-Policy: strict-origin-when-cross-origin
MEDIUM

M-03: Session Cookies Missing Secure Flag

Affected: company-e-monitor.example.com dev.company-e.example.com old.company-e.example.com

# company-e-monitor.example.com Set-Cookie: ASP.NET_SessionId=...; path=/; HttpOnly; SameSite=Lax ← Missing: Secure flag # dev.company-e.example.com (especially bad - serves over HTTP!) Set-Cookie: __RequestVerificationToken=...; path=/; HttpOnly ← Missing: Secure flag AND SameSite attribute # company-e-crm.example.com (GOOD example): Set-Cookie: __RequestVerificationToken=...; path=/; HttpOnly; SameSite=None; secure

✅ Remediation

  • Add Secure flag to all cookies in web.config: <httpCookies requireSSL="true"/>
  • Add SameSite=Strict or SameSite=Lax to all session cookies
MEDIUM

M-04: IIS Detailed Error Pages Exposed

Affected: company-e-monitor.example.com

Invalid paths return detailed IIS 10.0 error pages with internal server information, including full XHTML error templates with CSS styling that reveals the IIS version and error handling configuration.

# Response to invalid path: <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> # Leaks: IIS version, error codes, request handling details

✅ Remediation

  • Configure custom error pages: <httpErrors errorMode="Custom">
  • Disable detailed errors in production: <customErrors mode="On"/>
MEDIUM

M-05: TRACE HTTP Method Accepted

Affected: company-e-monitor.example.com

The server responds with HTTP 200 to TRACE requests instead of rejecting them. The TRACE method can be exploited for Cross-Site Tracing (XST) attacks to steal credentials from HTTP headers.

✅ Remediation

  • Disable TRACE method in IIS: Request Filtering → HTTP Verbs → Deny TRACE
MEDIUM

M-06: Duplicate SPF Records on company-e-monitor.example.com

Affected: company-e-monitor.example.com

# Two conflicting SPF records: TXT "v=spf1 include:zoho.in ~all" TXT "v=spf1 include:sendersrv.com include:zoho.in ~all" ← RFC 7208 violation: multiple SPF records = PermError = SPF disabled!

✅ Remediation

  • Merge into single record: v=spf1 include:sendersrv.com include:zoho.in -all
MEDIUM

M-07: VSCRM Login Returns HTTP 500 for Form-Based Auth Attempts

Affected: company-e-crm.example.com

Description: Sending login credentials via form POST to the VSCRM login page returns HTTP 500 (Internal Server Error) instead of a proper error response. This indicates unhandled exception handling in the authentication flow.

# Form POST to login returns server error: $ curl -X POST https://company-e-crm.example.com/Account/Login \ -d "Email=test@test.example.com&Password=wrong" HTTP 500 ← Internal Server Error (unhandled exception)
Impact: 500 errors in authentication flows may leak stack traces, database connection strings, or internal paths in some configurations. They also indicate the auth system crashes on unexpected input, which could be exploitable for denial of service or error-based information disclosure.

✅ Remediation

  • Add proper exception handling in the login controller
  • Return 401 Unauthorized for failed auth, not 500
  • Ensure custom error pages catch all unhandled exceptions

🔵 Low Severity Findings

LOW

L-01: SSL Certificates - Short Validity & No Wildcard

All domains use Let's Encrypt certificates with 90-day validity. While auto-renewal typically handles this, there's risk of outage if renewal fails. No wildcard cert means each subdomain needs separate management.

company-e.example.com : Let's Encrypt E8 (Jan 28 - Apr 28, 2026) company-e-crm.example.com : Let's Encrypt R12 (Feb 27 - May 28, 2026) company-e-monitor.example.com: Let's Encrypt R12 (Feb 25 - May 26, 2026) company-e-dialer.example.com : Let's Encrypt E7 (Feb 3 - May 4, 2026)
LOW

L-02: No security.txt File

Affected: All domains

No /.well-known/security.txt file found. This file (RFC 9116) helps security researchers report vulnerabilities responsibly.

LOW

L-03: SAN Information Disclosure in SSL Cert

The SSL certificate for company-e-monitor.example.com includes variableconsultancy.com in Subject Alternative Names, revealing an additional related domain that was not publicly documented.

LOW

L-04: robots.txt References Non-Primary Subdomain

The robots.txt on company-e.example.com references https://newvs.company-e.example.com/sitemap.xml, leaking an Azure-hosted subdomain (10.0.5.6) that may be a staging/preview environment.

ℹ️ Informational Findings

INFO

I-01: Full Subdomain Map Discovered

Multiple subdomains discovered through DNS enumeration, SSL certificate SANs, and robots.txt analysis. Total of 10 distinct hostnames across 7 unique IP addresses were identified.

INFO

I-02: Mixed Technology Stack

Infrastructure uses 4 different server technologies: Apache (Ubuntu), IIS 10.0, Kestrel, and Node.js/Express. This increases the attack surface and maintenance burden.

INFO

I-03: Multiple Email Providers

Email handled by Microsoft 365 (company-e.example.com), Zoho Mail (company-e-crm.example.com, WHM, company-e-dialer.example.com), plus MailerLite and sendersrv.com for marketing. Fragmented email infra increases misconfiguration risk.

INFO

I-04: company-e-dialer.example.com Shares IP with Main Site

Both company-e.example.com and company-e-dialer.example.com resolve to 10.0.5.1 (Hosting Provider). While not inherently a vulnerability, co-hosted services can impact each other if one is compromised.

INFO

I-05: VSCRM API Data Model Fully Exposed

The /api/Login response reveals 16+ internal field names including: SessionId, UserName, ImageUrl, Email, FirebaseTokenId, IsCompanyHaveIpBasedAuthentication, IsIpValid, MachineIp, CompanyGuId, UserType, additionalFeatures, IsTrackingAllow, IsSelfieRequired, CheckListRights, IsDateRangeCalendarDisplay. This reveals Firebase integration, IP-based auth, selfie verification, and multi-tenant company GUID architecture.

PASS

I-06: Positive Findings

  • All primary domains correctly redirect HTTP → HTTPS (except dev)
  • company-e-crm.example.com has HSTS enabled with max-age=31536000
  • company-e-crm.example.com cookies have Secure flag set
  • company-e-crm.example.com properly handles error routes (302 to /Error/NotFound)
  • company-e.example.com SPF uses strict -all (hardfail)
  • Anti-CSRF tokens (RequestVerificationToken) present on CRM
  • HttpOnly flag set on session cookies across all domains
  • company-e-dialer.example.com uses modern Kestrel server (minimal header leakage)
  • TLS 1.2 with strong ciphers (ECDHE-AES256-GCM-SHA384) on all domains
  • TLS 1.1 correctly rejected on company-e.example.com

🎯 Priority Remediation Roadmap

PriorityEffortActionFinding
P0 30 min Restrict dev.company-e.example.com behind VPN/IP whitelist or remove DNS record C-01, C-02
P0 30 min Decommission old.company-e.example.com or restrict access H-05
P0 1 hour Fix VSCRM /api/Login - Generic error message, strip null fields, add rate limiting (5 req/min/IP) C-04
P0 30 min Disable verbose errors on dev - Set customErrors mode="On", return generic error pages C-05
P1 1 hour Fix CORS policy - Replace * with specific origins on company-e-crm.example.com and change X-Frame-Options to DENY C-03
P1 1 hour Add DMARC records to all 4 domains and fix duplicate SPF on WHM H-01, H-02, M-06
P1 30 min Configure DKIM signing in Zoho and Outlook admin panels H-03
P1 30 min Secure SignalR hubs - Require authentication for /signalr/hubs endpoint H-06
P1 1 hour Fix WHM routing - Return 404 for /backup, /data, /uploads, etc. Fix /Admin 500 error H-07
P2 2 hours Add security headers (CSP, HSTS, X-Content-Type-Options, Referrer-Policy) to all domains M-01, M-02
P2 1 hour Remove version headers and configure custom error pages on IIS M-01, M-04
P2 30 min Fix cookie security - Add Secure flag, disable TRACE method M-03, M-05
P3 Ongoing Plan .NET Framework migration from 4.0 to .NET 8+ LTS H-04
P3 15 min Add security.txt file to all domains L-02

🔍 Methodology & Scope

Techniques Used

  • DNS Enumeration (A, MX, TXT, NS, CNAME, SOA)
  • Subdomain Discovery (dictionary-based)
  • SSL/TLS Certificate Analysis
  • HTTP Response Header Analysis
  • Security Header Audit (OWASP)
  • Cookie Security Analysis
  • CORS Configuration Testing
  • Email Security (SPF/DKIM/DMARC)
  • Sensitive Path Discovery
  • HTTP Method Testing
  • Reverse DNS Lookup
  • Technology Fingerprinting

Out of Scope (Not Performed)

  • Active vulnerability scanning (Nessus, Burp, etc.)
  • Port scanning (Nmap)
  • SQL injection / XSS testing
  • Authentication brute force
  • API endpoint fuzzing
  • File upload testing
  • Business logic testing
  • Mobile application analysis
  • Source code review
  • Social engineering

Disclaimer: This was a passive reconnaissance and header-level analysis only. No active exploitation or intrusive testing was performed. A full penetration test with active scanning tools (Burp Suite, Nessus, SQLMap, etc.) would likely uncover additional vulnerabilities, particularly in application logic, authentication, API security, and input validation.