Sample Report — Demo Data

Security Scan Report

This is a representative scan of an AI-generated CRM app. All findings are based on real detection patterns.

https://demo-crm-app.example.com
Completed Mar 2026 4m 31s Supabase + Vercel 17 scanners
30
Grade F
Critical 2
High 4
Medium 6
Low 5
Info 4
Findings
Stolen Data
Security Grades
Timeline
Overview
Critical Supabase database fully exposed — 2,847 user records accessible
Scanner
07-baas-exploit
CWE
CWE-284
Confidence
Confirmed
Endpoint
/rest/v1/users
The Supabase anon key was found in the JavaScript bundle. Combined with missing Row Level Security policies, any visitor can query the entire users table directly via the PostgREST API.
GET /rest/v1/users?select=* HTTP/1.1 Host: xxxxxxxx.supabase.co apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... → 200 OK — 2,847 rows returned → Columns: id, email, full_name, password_hash, phone, created_at → Includes: payment records, session tokens, internal notes
Critical SQL injection on /api/search — database extraction confirmed
Scanner
05-injection
CWE
CWE-89
Type
Error-based + Time-based
Endpoint
/api/search
The search API is vulnerable to SQL injection. An attacker can extract arbitrary data from the database, including user credentials and payment information.
POST /api/search HTTP/1.1 Content-Type: application/json {"q": "' UNION SELECT email,password_hash FROM users--"} → 200 OK — Database responded with user credentials Time-based confirmation: {"q": "'; WAITFOR DELAY '0:0:5'--"} → Response delayed 5.02 seconds — injection confirmed
High Backend infrastructure URLs exposed in JavaScript bundle
Internal API endpoints and service URLs hardcoded in frontend JavaScript, including database connection strings and admin panel paths.
Found in /assets/index-D50a0yBn.js: SUPABASE_URL = "https://xxxxxxxx.supabase.co" SUPABASE_ANON_KEY = "eyJhbGci..." STRIPE_PK = "pk_live_..." ADMIN_API = "/api/admin/dashboard"
Unlock full details — Start free scan
High No rate limiting on authentication endpoints
Login and registration endpoints accept unlimited requests. Brute force attacks are feasible at ~33 attempts per second with no blocking.
POST /api/auth/login × 100 requests in 3s → All returned 401 — no blocking, no delays → Brute force feasible at ~33 attempts/second
Unlock full details — Start free scan
HighCORS allows any origin — credential theft possible
API responds with Access-Control-Allow-Origin: * combined with credentials mode. Any website can make authenticated requests on behalf of logged-in users.
Unlock full details
HighJWT signed with weak secret — brute-forced in 0.3s
JWT tokens are signed with the weak secret "secret123". An attacker can forge valid tokens for any user.
Unlock full details
MediumMissing Content-Security-Policy header
MediumSensitive data in localStorage — session tokens persist
MediumMissing Strict-Transport-Security header
MediumDMARC policy set to "none" — email spoofing possible
MediumDirectory listing enabled on /uploads
MediumX-Content-Type-Options header not set
LowServer version exposed in response headers
LowCookies missing Secure flag
LowReferrer-Policy not configured
LowX-Frame-Options not set — clickjacking possible
LowExternal resources loaded without SRI
InfoServer software: Vercel Edge Network
InfoPlatform detected: Supabase + React
InfoSSL certificate valid — expires in 74 days
Info3 subdomains discovered

DATA BREACH — CONFIRMED

The following data was extracted without authentication

2,847
Records Exposed
6
Data Tables Breached
3
Critical Data Leaks
Exposed Data Categories
Users
2,847
Credentials
2,412
Payment Records
1,203
Orders
814
Contacts
436
Internal Notes
147

View real stolen data

See exactly what was taken — credentials, records, and the commands used to extract them.

This data is publicly accessible right now.
Stolen credentials Reproduction commands Full fix plan
Unlock Full Security Audit — $39
One-time payment · No subscription · Domain verification required
TLS / SSL A
  • TLS 1.3 supported
  • TLS 1.2 supported
  • Strong cipher suites
  • OCSP stapling enabled
  • Certificate valid (74 days)
  • HSTS header not set
Security Headers D
  • X-Content-Type-Options
  • X-Frame-Options
  • Content-Security-Policy
  • Strict-Transport-Security
  • Referrer-Policy
  • Permissions-Policy
Email Security D
  • SPF record present
  • DKIM not configured
  • DMARC policy is "none"
Authentication F
  • No rate limiting
  • Weak JWT secret
  • Sessions in localStorage
  • HTTPS on login form
01-recon completed — fingerprinted Supabase + React + Vercel
3 subdomains discovered, admin panel not found
0:00
02-headers completed — 4 missing headers detected
CSP, HSTS, Referrer-Policy, Permissions-Policy absent
0:18
03-endpoints completed — 23 endpoints discovered
Directory listing found on /uploads
0:42
04-auth-attack completed — JWT weak secret brute-forced
Secret "secret123" found in 0.3s, no rate limiting detected
1:05
05-injection completed — SQL injection confirmed
Time-based blind on /api/search, error-based on /api/products
1:38
06-bundle-secrets completed — 3 secrets found in JS bundles
Supabase key, Stripe publishable key, admin API path
1:52
07-baas-exploit completed — Supabase DB fully exposed
2,847 user records accessible via anon key, no RLS
2:14
08-api-abuse completed — CORS misconfiguration
Access-Control-Allow-Origin: * with credentials
2:30
09-crypto-audit completed — no issues
No client-side crypto misuse detected
2:48
10-supply-chain completed — no issues
No known vulnerable dependencies in loaded scripts
3:01
11-platform-vulns completed — no CVEs
Platform version checks passed
3:15
12-ssl-tls completed — Grade A
TLS 1.3 supported, strong ciphers, cert valid 74 days
3:28
13-email-security completed — DKIM/DMARC issues
SPF present, DKIM missing, DMARC policy "none"
3:42
14-creative-checks completed — no issues
No unconventional attack vectors found
4:08
15-git-exploit completed — no exposed .git
No git config leaks detected
4:22
Scan complete — 21 findings across 17 scanners
Score: 30/100 · Grade: F
4:31

Detected Technologies

React 18 Supabase Vercel PostgREST Stripe.js Vite Tailwind CSS

Discovered Endpoints (23)

/rest/v1/users
/api/search
/api/auth/login
/api/auth/register
/api/products
/api/orders
/api/contacts
/api/admin/dashboard
/uploads/
/.well-known/
/assets/index.js
/sitemap.xml

Subdomains

demo-crm-app.example.com
api.demo-crm-app.example.com
cdn.demo-crm-app.example.com
Domain verification required
Full vulnerability details, evidence, and stolen data are only accessible after you verify domain ownership via DNS TXT record, file upload, or HTML meta tag. This ensures only site owners can view their security findings.

Scan your own app

Get a report like this in 5 minutes. No setup, no code access required.

Start free security scan