Security Scan Report

Category: exposure

Multiple administrative endpoints were discovered through JavaScript bundle analysis and crawling. These include scraper controls, meta generation, maintenance mode toggles, and API testing endpoints. If these lack proper server-side authentication and authorization, they could allow unauthorized administrative actions.

/cr/admin/scraper/run, /cr/admin/meta/refresh, /cr/admin/meta/snapshot, /cr/admin/meta/generate, /cr/admin/meta/maintenance, /cr/admin/deck-status, /cr/admin/apitest — all found in index-DWDwtvw4.js by katana, gospider, and linkfinder

Attack Vector: An attacker enumerates admin routes from the JS bundle and attempts direct access. If authorization is missing or bypassable, they could trigger scraper runs, modify metadata, toggle maintenance mode, or abuse the API test endpoint.

Remediation: Ensure all /cr/admin/* endpoints enforce server-side authentication and role-based authorization. Remove admin route references from client-side JavaScript bundles served to unauthenticated users. Consider separating admin UI into a distinct build.

Detected by: katana, gospider, linkfinder, feroxbuster

Category: exposure

Feroxbuster discovered /docs, /docs/oauth2-redirect, and /openapi.json endpoints, which are default FastAPI/Uvicorn auto-generated documentation pages. These expose the full API schema including all endpoints, parameters, and data models to anyone.

feroxbuster found: https://paragonroyale.com/openapi.json, https://paragonroyale.com/docs, https://paragonroyale.com/docs/oauth2-redirect

Attack Vector: An attacker uses /openapi.json to map the complete API surface, identify parameter names, authentication flows (OAuth2), and hidden endpoints — dramatically reducing reconnaissance effort for targeted attacks.

Remediation: Disable /docs and /openapi.json in production by setting docs_url=None, redoc_url=None, and openapi_url=None in the FastAPI application constructor, or restrict access via Caddy to authenticated admin users only.

Detected by: feroxbuster

Category: config

The X-Frame-Options header is not set, which could allow the site to be embedded in iframes on malicious domains, enabling clickjacking attacks against authenticated users.

Nikto: 'The anti-clickjacking X-Frame-Options header is not present.'

Attack Vector: An attacker embeds paragonroyale.com in a transparent iframe overlaid on a decoy page, tricking authenticated users into performing unintended actions (e.g., triggering admin functions, changing settings).

Remediation: Add X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors 'none' header in the Caddy configuration. Example Caddyfile directive: header X-Frame-Options DENY

Detected by: nikto

Category: config

The SSH server accepts NIST P-256, P-384, and P-521 elliptic curve Diffie-Hellman key exchange algorithms, which are flagged by ssh-audit as potentially compromised curves. Additionally, diffie-hellman-group14-sha256 uses only a 2048-bit modulus providing 112-bit symmetric strength.

ssh-audit: '(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency', same for nistp384 and nistp521. '(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength'

Attack Vector: A state-level adversary with access to potential curve backdoors could compromise SSH session key exchange. Practically low risk for most threat models.

Remediation: Restrict SSH key exchange algorithms in /etc/ssh/sshd_config to: KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

Detected by: ssh-audit

Category: config

The TLS certificate for paragonroyale.com expires on 2026-05-12, approximately 52 days from now. While Caddy typically handles auto-renewal via ACME, this should be monitored.

nmap ssl-cert: 'Not valid before: 2026-02-11T21:17:53, Not valid after: 2026-05-12T21:17:52'

Attack Vector: If auto-renewal fails, an expired certificate will cause browser warnings, loss of user trust, and potential downgrade to HTTP if HSTS is not enforced.

Remediation: Verify Caddy's ACME auto-renewal is functioning correctly. Set up monitoring/alerting for certificate expiry (e.g., via uptime monitoring service). Caddy should auto-renew ~30 days before expiry.

Detected by: nmap, testssl

Category: config

The domain's SPF record uses ~all (soft fail) rather than -all (hard fail), meaning spoofed emails from this domain may be delivered rather than rejected by recipient mail servers.

dnsx TXT record: 'v=spf1 include:spf.efwd.registrar-servers.com ~all'

Attack Vector: An attacker spoofs emails from @paragonroyale.com for phishing. With soft fail, many mail servers will deliver the spoofed email (possibly to spam) rather than rejecting it outright.

Remediation: Change ~all to -all in the SPF record once you've confirmed all legitimate sending sources are included. Also consider adding DMARC (p=reject) and DKIM records.

Detected by: dnsx

Category: network

No web application firewall was detected protecting the application. While not a vulnerability itself, it means the application relies entirely on its own code for input validation and attack prevention.

wafw00f: 'No WAF detected by the generic detection'

Attack Vector: Without a WAF, common attack payloads (SQLi, XSS, path traversal) reach the application directly without any external filtering layer.

Remediation: Consider deploying a WAF (e.g., Cloudflare, AWS WAF, or ModSecurity) as a defense-in-depth measure, especially given the exposed API surface.

Detected by: wafw00f