β BACK TO KAMPUNG
π‘οΈ SECURITY CITADEL
OWASP vulnerability scanning Β· GCP hardening Β· Nothing ships without clearance.
87
/100
3
Open Issues
2
Warnings
18
Passed Checks
2h ago
Last Scan
// OWASP TOP 10 CHECKLIST
A01 β Broken Access Control
PASSA02 β Cryptographic Failures
PASSA03 β Injection (SQL/XSS)
WARNA04 β Insecure Design
PASSA05 β Security Misconfiguration
FAILA06 β Vulnerable Components
PASSA07 β Auth Failures
PASSA08 β Software Data Integrity
WARNA09 β Security Logging
PASSA10 β Server-Side Request Forgery
FAIL// GCP HARDENING CHECKLIST
HTTPS + TLS 1.3 enforced
PASSFirewall: only 80/443 open
PASSSSH key-only (no password)
PASSOS auto-updates enabled
FAILLet's Encrypt SSL valid
PASSNo default credentials
PASSAPI keys in env file (not code)
PASSIAM least-privilege principle
REVIEWNginx rate limiting active
PASSSensitive headers stripped
PASS// RUN SECURITY SCAN
// LATEST FINDINGS β netlab.labsoft.uk
| SEVERITY | ISSUE | LOCATION | ACTION |
|---|---|---|---|
| HIGH | Server-Side Request Forgery possible via proxy endpoint | /api/proxy | Restrict allowed hostnames |
| HIGH | OS auto-updates disabled β kernel 5.15.0-101 (EOL soon) | Server | Run: sudo apt upgrade |
| MEDIUM | Input not sanitized before SQL query in feedback form | /api/feedback | Use parameterized queries |
| MEDIUM | IAM service account has Owner role β too broad | GCP IAM | Reduce to specific roles |
| INFO | Content-Security-Policy header missing on 3 pages | analyzer.html, qr.html, feedback.html | Add CSP headers in Nginx |