You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
🔍 Description
Analysis of the source code reveals a critical security negligence in the window.APP_SETTINGS configuration object embedded directly within index.html. The application explicitly hardcodes sensitive infrastructure details, including the direct Origin IP address of the compute node and internal backend endpoints, while leaving debug mode enabled in a production artifact.
Vulnerable Code Snippet:
JavaScript
window.APP_SETTINGS = Object.assign({
debug: true, // ERROR: Debug mode enabled in production
mqtt_server: "platform-mqtt.wow.env.asia",
// ...
ip_compute: '69.197.168.145', // CRITICAL: Hardcoded Origin IP
hostname: "http://127.0.0.1:8080/", // Leak of dev environment
// ...
});
💥 Impact Assessment
This is not just a configuration error; it is a direct roadmap for attackers to compromise your infrastructure:
WAF Bypass (Critical): By exposing the direct IP address 69.197.168.145, you allow attackers to bypass any protection layers (Cloudflare, AWS WAF, etc.) sitting in front of your domain. This IP can be scanned directly for unpatched services (SSH, Database ports) or targeted for DDoS attacks that a CDN cannot filter.
Information Disclosure: debug: true exposes stack traces, Redux state changes, and sensitive logic flows in the browser console, significantly aiding in reverse engineering.
Internal Network Mapping: Leaking platform-mqtt.wow.env.asia and internal ports (9003) allows attackers to map your backend architecture and target specific services.
📸 Proof of Concept (PoC)
Navigate to the target file in the repository: frontend/public/index.html.
Locate lines where the <script id="app-settings"> block is defined.
Observe the hardcoded public IP 69.197.168.145 and the debug: true flag active in the configuration object.
🛠 Remediation
Immediate Action: Rotate the IP address 69.197.168.145 if it is currently active, as it is now public knowledge.
Code Fix: Remove all hardcoded IPs and sensitive secrets from the frontend source. Use environment variables (e.g., process.env.REACT_APP_...) injected during the CI/CD build process.
Configuration: Ensure debug: false is forced for all production builds.
Network Security: Configure the origin server to only accept traffic from your Load Balancer or CDN IP ranges to prevent direct access.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🔍 Description
Analysis of the source code reveals a critical security negligence in the window.APP_SETTINGS configuration object embedded directly within index.html. The application explicitly hardcodes sensitive infrastructure details, including the direct Origin IP address of the compute node and internal backend endpoints, while leaving debug mode enabled in a production artifact.
Vulnerable Code Snippet:
JavaScript
window.APP_SETTINGS = Object.assign({
});
💥 Impact Assessment
This is not just a configuration error; it is a direct roadmap for attackers to compromise your infrastructure:
WAF Bypass (Critical): By exposing the direct IP address 69.197.168.145, you allow attackers to bypass any protection layers (Cloudflare, AWS WAF, etc.) sitting in front of your domain. This IP can be scanned directly for unpatched services (SSH, Database ports) or targeted for DDoS attacks that a CDN cannot filter.
Information Disclosure: debug: true exposes stack traces, Redux state changes, and sensitive logic flows in the browser console, significantly aiding in reverse engineering.
Internal Network Mapping: Leaking platform-mqtt.wow.env.asia and internal ports (9003) allows attackers to map your backend architecture and target specific services.
📸 Proof of Concept (PoC)
Navigate to the target file in the repository: frontend/public/index.html.
Locate lines where the <script id="app-settings"> block is defined.
Observe the hardcoded public IP 69.197.168.145 and the debug: true flag active in the configuration object.
🛠 Remediation
Immediate Action: Rotate the IP address 69.197.168.145 if it is currently active, as it is now public knowledge.
Code Fix: Remove all hardcoded IPs and sensitive secrets from the frontend source. Use environment variables (e.g., process.env.REACT_APP_...) injected during the CI/CD build process.
Configuration: Ensure debug: false is forced for all production builds.
Network Security: Configure the origin server to only accept traffic from your Load Balancer or CDN IP ranges to prevent direct access.
Beta Was this translation helpful? Give feedback.
All reactions