VulnHR - HR Portal — Vulnerability Answer Key¶

Lab ID: vulnhr
Target URL: http://vulnhr.test:7331/
Total Vulnerabilities: 91
Source: SOLUTION_KEY.md

Severity Distribution¶

Severity	Count
Critical	12
High	37
Medium	39
Low	3
Total	91

Skill Coverage¶

Skill	Vulnerabilities
`test-access`	15
`test-auth`	14
`test-injection`	13
`scan`	10
`test-logic`	8
`test-api`	5
`test-exceptions`	5
`test-client`	5
`test-ssrf`	4
`test-advanced`	4
`test-supply-chain`	3
`test-deser`	2
`test-crypto`	2
`test-infra`	1

Vulnerability Table¶

ID	Name	Cat	Severity	CVSS	Endpoint	Method	Skill
A01-041	Mass Assignment on Employee Salary/IBAN	A01	Critical	9.1	`/api/v1/employees/{id}`	PUT	`test-access`
A02-03	Segreto JWT Debole e Hardcoded	A02	Critical	9.1	`/api/v1/auth/login`	POST	`test-auth`
A03-01	SQL Injection nella Directory Dipendenti	A03	Critical	9.8	`/rubrica`	GET	`test-injection`
A03-03	SQL Injection nella Ricerca Avanzata Annunci	A03	Critical	9.8	`/annunci`	GET	`test-injection`
A03-08	Command Injection nell'Export Dipendenti	A03	Critical	9.8	`/管理/エクスポート/dipendenti/zip`	GET	`test-injection`
A03-09	SQL Injection in Query GraphQL SearchEmployees	A03	Critical	9.8	`/graphql`	POST	`test-injection`
A05-09	File .env Accessibile via URL	A05	Critical	9.8	`/.env`	GET	`scan`
A06-03	n8n Workflow Engine con CVE-2026-21858 (Content-Type Confusion RCE)	A06	Critical	9.8	`http://<host>:5678/form/*`	POST	`test-supply-chain`
A07-004	API Endpoints Accessible Without Authentication	A07	Critical	9.3	`/api/v1/*`	GET/POST	`test-auth`
A08-01	Insecure Deserialization (PHP unserialize)	A08	Critical	9.8	`/管理/設定`	PUT	`test-deser`
BL-11	Insecure Deserialization via Cookie Preferenze	BL	Critical	9.8	`/`	GET	`test-deser`
X08	JWT Algorithm Confusion	X	Critical	9.1	`/api/v1/*`	GET	`test-auth`
A01-02	Esposizione Dati Sensibili tramite API Dipendenti	A01	High	7.5	`/api/v1/employees/{id}`	GET	`test-access`
A01-04	Mass Assignment su Profilo e Utenti	A01	High	8.8	`/profilo`	PUT	`test-access`
A01-05	Rotte Admin Senza Controllo Ruolo	A01	High	7.5	`/管理/システム/情報`	GET	`test-access`
A01-06	API Dipendenti Senza Controllo Permessi	A01	High	8.1	`/api/v1/employees/{id}`	DELETE	`test-access`
A01-10	Query GraphQL Senza Autorizzazione	A01	High	7.5	`/graphql`	POST	`test-api`
A01-12	Mutation GraphQL updateSystemSetting Senza Controllo Admin	A01	High	8.8	`/graphql`	POST	`test-api`
A02-01	Password Legacy con MD5	A02	High	7.5	`/login`	POST	`test-crypto`
A02-02	Generazione Token API con MD5 Prevedibile	A02	High	7.5	`/管理/API/token`	POST	`test-crypto`
A03-02	SQL Injection in ORDER BY (Report e Ferie)	A03	High	8.6	`/hr/conges/report`	GET	`test-injection`
A03-05	Stored XSS negli Annunci	A03	High	7.2	`/hr/annunci`	POST	`test-injection`
A03-07	LDAP Injection	A03	High	8.1	`/login`	POST	`test-injection`
A03-10	Second-Order SQL Injection tramite Note Dipendente	A03	High	8.8	`/hr/report/annotazioni`	GET	`test-injection`
A04-03	Assenza di Rate Limiting sul Login	A04	High	7.5	`/login`	POST	`test-auth`
A04-05	Token di Reset Password Prevedibile	A04	High	8.1	`/password/email`	POST	`test-auth`
A05-001	Git Repository Exposed (/.git/config, /.git/HEAD)	A05	High	8.7	`/.git/`	GET	`test-exceptions`
A05-01	CORS Permissivo con Credenziali	A05	High	7.5	`*`	OPTIONS	`test-client`
A05-06	Redis Senza Autenticazione	A05	High	7.5	`redis:6379`	TCP	`scan`
A06-02	Dipendenza PHP con CVE Nota (phpspreadsheet)	A06	High	7.5	`*`	N/A	`test-supply-chain`
A07-02	Session Fixation (Nessuna Rigenerazione ID dopo Login)	A07	High	7.5	`/login`	POST	`test-auth`
A07-04	Password Default Uguale per Tutti gli Account Generati	A07	High	7.5	`/login`	POST	`test-auth`
A08-02	XXE (XML External Entity) nei Webhook	A08	High	7.5	`/api/v1/webhooks/receive`	POST	`test-injection`
A09-02	Password in Chiaro nei Log	A09	High	7.5	`/login`	POST	`test-exceptions`
A10-01	SSRF nell'Anteprima URL e Test Webhook	A10	High	7.5	`/api/v1/webhooks/test`	POST	`test-ssrf`
A10-02	SSRF nell'Import Dipendenti da URL	A10	High	7.5	`/api/v1/employees/import`	POST	`test-ssrf`
A10-040	Server-Side Request Forgery (SSRF) via Employee Import URL	A10	High	8.7	`/api/v1/employees/import`	POST	`test-ssrf`
BL-01	BOLA su Risorse Annidate (Nested API)	BL	High	7.5	`/api/v1/employees/{employeeId}/payslips/{p...`	GET	`test-access`
BL-03	Batch Operation senza Verifica Per-Item	BL	High	7.1	`/hr/bulk/status-update`	POST	`test-access`
BL-06	State Machine Bypass (Force Parameter)	BL	High	7.1	`/api/v1/leaves/{id}/approve`	POST	`test-logic`
BL-07	Salary Correction con Percentuale Negativa	BL	High	7.5	`/hr/bulk/salary-correction`	POST	`test-logic`
BL-08	Mass Assignment Inconsistenza JSON vs Form-Data	BL	High	8.1	`/api/v1/profile/password`	PUT	`test-access`
BL-09	SSRF via URL Redirect Chain	BL	High	8.6	`/hr/annunci/link-preview`	POST	`test-ssrf`
BL-10	GraphQL IDOR - Payslip Senza Ownership Check	BL	High	7.5	`/graphql`	POST	`test-api`
BL-12	Account Takeover via Token nel Response (Debug Mode)	BL	High	8.1	`/password/email`	POST	`test-auth`
X01	Path Traversal nel Download Documenti	X	High	7.5	`/documenti/download`	GET	`test-injection`
X02	Upload File Senza Validazione MIME Type	X	High	8.8	`/careers/{id}/apply`	POST	`test-logic`
X12	File Sensibili Accessibili via Web	X	High	7.5	`/.git/config`	GET	`scan`
X13	Upload Attachment Ticket Senza Validazione MIME	X	High	7.2	`/chamados/{id}/comentario`	POST	`test-logic`
A01-01	IDOR su Buste Paga Dipendenti	A01	Medium	6.5	`/Gehaltsabrechnung/{id}`	GET	`test-access`
A01-03	Approvazione Ferie Senza Controllo Permessi	A01	Medium	6.5	`/manager/conges/{id}/approuver`	POST	`test-access`
A01-07	Upload Documenti in Directory Pubblica	A01	Medium	5.3	`/documenti/download`	GET	`test-access`
A01-08	IDOR su Ticket di Supporto	A01	Medium	5.4	`/chamados/{id}`	GET	`test-access`
A01-09	Modifica Stato Richiesta Ferie tramite Mass Assignment	A01	Medium	6.5	`/conges/{id}`	PUT	`test-access`
A01-11	Audit Log Accessibile a Tutti gli Utenti	A01	Medium	5.3	`/graphql`	POST	`test-access`
A03-04	Reflected XSS nei Risultati di Ricerca	A03	Medium	6.1	`/cerca`	GET	`test-injection`
A03-06	Stored XSS nei Ticket e Commenti	A03	Medium	6.1	`/chamados/{id}/comentario`	POST	`test-injection`
A03-11	DOM XSS via location.hash nella Dashboard	A03	Medium	6.1	`/dashboard`	GET	`test-client`
A03-12	DOM XSS via jQuery .html() nella Rubrica Aziendale	A03	Medium	6.1	`/rubrica`	GET	`test-client`
A03-13	DOM XSS via postMessage senza Verifica Origin	A03	Medium	6.5	`/hr/dipendenti`	GET	`test-client`
A04-01	Race Condition nell'Approvazione Massiva Ferie	A04	Medium	5.9	`/hr/bulk/approve-leaves`	POST	`test-logic`
A04-02	Nessuna Validazione Date Future per Richieste Ferie	A04	Medium	4.3	`/conges`	POST	`test-logic`
A04-04	Enumerazione Utenti tramite Messaggi di Errore	A04	Medium	5.3	`/login`	POST	`test-auth`
A05-02	Debug Mode Abilitato in Produzione	A05	Medium	5.3	`*`	GET	`test-exceptions`
A05-03	Server Tokens Nginx Abilitati	A05	Medium	5.3	`*`	GET	`scan`
A05-04	phpinfo() Esposto Pubblicamente	A05	Medium	5.3	`/phpinfo.php`	GET	`scan`
A05-05	Endpoint /system/info Espone Informazioni Sensibili	A05	Medium	5.3	`/管理/システム/情報`	GET	`test-exceptions`
A05-07	PHP display_errors e expose_php Abilitati	A05	Medium	5.3	`*`	GET	`scan`
A05-08	Cookie di Sessione Senza Flag Secure e SameSite	A05	Medium	4.3	`*`	GET	`test-auth`
A05-10	Missing Content-Security-Policy Header	A05	Medium	4.3	`*`	GET	`scan`
A06-01	jQuery 2.2.4 con Vulnerabilita Note	A06	Medium	6.1	`*`	GET	`test-supply-chain`
A07-01	Logout Senza Invalidazione Sessione	A07	Medium	4.3	`/logout`	POST	`test-auth`
A07-03	Policy Password Debole	A07	Medium	5.3	`/registrazione`	POST	`test-auth`
A07-05	Token Sanctum Senza Scadenza	A07	Medium	5.4	`/api/v1/auth/login`	POST	`test-auth`
A07-06	Sessioni Concorrenti Illimitate	A07	Medium	4.3	`/api/v1/auth/login`	POST	`test-auth`
A08-03	CSV Injection nell'Export Dipendenti	A08	Medium	6.1	`/hr/dipendenti/export`	GET	`test-injection`
BL-02	HTTP Parameter Pollution (HPP) nell'Audit Log	BL	Medium	5.4	`/api/v1/employees/{id}`	PUT	`test-advanced`
BL-04	Giorni Ferie Negativi (Business Logic Bypass)	BL	Medium	6.5	`/api/v1/leaves/{id}`	PUT	`test-logic`
BL-05	Self-Approval delle Richieste Ferie	BL	Medium	6.5	`/api/v1/leaves/{id}/approve`	POST	`test-logic`
X03	Open Redirect nel Login	X	Medium	4.7	`/login`	POST	`test-advanced`
X04	Host Header Injection	X	Medium	5.4	`/password/email`	POST	`test-advanced`
X05	HTTP Method Override	X	Medium	4.3	`/api/v1/employees/{id}`	PUT	`test-advanced`
X06	Cache Poisoning tramite Host Header	X	Medium	5.4	`/`	GET	`test-infra`
X07	GraphQL Introspection Abilitata	X	Medium	5.3	`/graphql`	POST	`test-api`
X10	Prototype Pollution in JavaScript	X	Medium	6.1	`/dashboard`	GET	`test-client`
X11	Directory Listing Abilitato su /uploads/	X	Medium	5.3	`/uploads/`	GET	`scan`
X14	Identificativi Documenti Predicibili (UUID v1)	X	Medium	5.3	`/api/v1/documents/{public_id}`	GET	`test-access`
X15	GraphQL Batching e Alias Amplification	X	Medium	5.3	`/graphql`	POST	`test-api`
A05-11	Missing Strict-Transport-Security (HSTS)	A05	Low	3.1	`*`	GET	`scan`
A05-12	Missing Security Headers (X-Content-Type-Options, Referrer-Policy, Permissions-Policy)	A05	Low	3.1	`*`	GET	`scan`
A09-01	Tentativi di Login Falliti Non Registrati	A09	Low	3.3	`/login`	POST	`test-exceptions`

OWASP Category Breakdown¶

Category	Name	Count
A01	Broken Access Control	13
A02	Cryptographic Failures	3
A03	Injection	13
A04	Insecure Design	5
A05	Security Misconfiguration	13
A06	Vulnerable and Outdated Components	3
A07	Identification and Authentication Failures	7
A08	Software and Data Integrity Failures	3
A09	Security Logging and Monitoring Failures	2
A10	Server-Side Request Forgery	3
BL	Business Logic e Controllo Accessi	12
X	Extra - Altre Vulnerabilita	14

Last updated: 2026-03-23
91 verified findings — answer key for automated lab evaluation