Chimera Vulnerability Inventory
Chimera Vulnerability Inventory
This application contains 200+ intentional security vulnerabilities for WAF testing. NEVER deploy to production or expose to the internet without proper WAF protection.
Overview
The Chimera application (api-demo) is a Flask honeypot containing 200+ intentional vulnerabilities across 114+ endpoints designed specifically for testing Chimera WAF capabilities. This comprehensive inventory documents all security flaws by category, endpoint, and severity.
Quick Statistics
200+
Total Vulnerabilities
114+
Vulnerable Endpoints
50+
Vulnerability Types
100%
OWASP Top 10 Coverage
Vulnerability Categories
Critical Security Flaws
| Category | Count | Examples |
|---|---|---|
| No Authorization | 50+ | Direct access to sensitive operations without authentication |
| Sensitive Data Exposure | 40+ | SSN, credit cards, passwords, API keys, PHI |
| Information Disclosure | 35+ | System internals, configuration, version numbers |
| IDOR | 30+ | Direct object references without ownership checks |
| PHI/PII Exposure | 25+ | Medical records, genetic data, mental health notes |
| Rate Limiting Missing | 20+ | Brute force, DoS, resource exhaustion possible |
| Business Logic Flaws | 15+ | Race conditions, price manipulation, fraud |
| Privilege Escalation | 8+ | User to admin, role manipulation |
| SQL Injection | 4 | Authentication bypass, data extraction |
| Command Injection | 3 | Remote code execution |
| SSRF | 3 | Internal network access, cloud metadata |
| XXE Injection | 2 | File disclosure, SSRF |
| Insecure Deserialization | 2 | Remote code execution via pickle |
| Path Traversal | 2 | Arbitrary file access |
Authentication & Authorization Vulnerabilities
Critical Authentication Flaws
JWT Vulnerabilities
POST /api/v1/auth/login
X-JWT-Algorithm: none
- Algorithm Confusion: Accepts “none” algorithm
- Unsigned Tokens: Base64-only tokens accepted
- No Signature Verification: Complete bypass possible
SQL Injection Login Bypass
curl -X POST http://localhost:8080/api/v1/auth/login \
-d '{"username":"admin'\'' OR '\''1'\''='\''1","password":"any"}'
- Direct string concatenation in queries
- Returns admin privileges without password
Token Forgery Endpoint
POST /api/oauth/token/forge
- Generates valid JWT for any user
- No authentication required
- Complete authentication bypass
Weak Cryptography
| Vulnerability | Endpoints | Details |
|---|---|---|
| MD5 Password Hashing | /auth/login, /auth/register |
Rainbow table attacks possible |
| Predictable Tokens | /auth/forgot, /auth/reset |
MD5(email+timestamp) |
| Weak Session IDs | /auth/login |
MD5(timestamp) |
| Predictable API Keys | /auth/apikeys/create |
MD5(user_id+timestamp) |
| Weak TOTP Secrets | /auth/mfa/enable |
MD5(user_id)[:16] |
Timing Attacks
# Valid user: 0.15s delay
# Invalid user: 0.05s delay
- User enumeration via response time
- Applies to:
/auth/login,/auth/forgot
Banking & Financial Vulnerabilities
Critical Financial Flaws
Race Condition in Transfers
POST /api/v1/banking/transfer
# Check balance
if source_balance >= amount:
time.sleep(0.001) # Race window
# Deduct from source
# Add to destination
- Non-atomic transactions
- Double-spend possible
- Concurrent transfers can overdraw
Balance Manipulation
POST /api/v1/banking/internal/reset-balance
{
"account_id": "any-account",
"new_balance": 1000000
}
- No authentication required
- Arbitrary balance setting
- Financial fraud enabled
Transaction Vulnerabilities
| Endpoint | Vulnerability | Impact |
|---|---|---|
/banking/accounts |
IDOR | View any user’s accounts |
/banking/transactions |
IDOR | View any account’s transactions |
/banking/statements |
IDOR | Download any account’s statements |
/banking/transfer/bulk |
No atomicity | Partial transfer failures |
/banking/accounts/enumerate |
Account enumeration | Reconnaissance |
Payment Processing Flaws
Capture Exceeds Authorization
POST /api/v1/payments/capture
{
"authorization_id": "auth_123",
"capture_amount": 10000 // Authorized: 100
}
Returns: "overage": 9900
Refund Exceeds Original
POST /api/v1/payments/refund
{
"transaction_id": "txn_123",
"refund_amount": 10000 // Original: 100
}
- Money laundering possible
- No validation on amounts
Healthcare & HIPAA Violations
Critical PHI Exposure
Mass Medical Records Export
GET /api/v1/healthcare/records
Returns ALL records with:
- SSN, DOB, diagnosis
- Medications, allergies
- Insurance information
- No authentication required
Genetic Data Exposure
GET /api/medical/genetics/profiles
Exposes:
- BRCA1/2 cancer risk genes
- APOE4 Alzheimer’s risk
- Pharmacogenomics data
- Ancestry information
- Discrimination risk: Employment, insurance
Mental Health Records
GET /api/medical/mental-health/sessions
Exposes:
- Therapy session notes
- Psychiatric diagnoses
- Risk assessments (suicide, self-harm)
- Medications prescribed
Controlled Substances
DEA Schedule II-IV Exposure
GET /api/v1/healthcare/prescriptions
Returns:
- Oxycodone, Hydrocodone (Schedule II)
- Alprazolam (Schedule IV)
- Adderall (Schedule II)
- Provider DEA numbers
- Prescription fraud risk
HIPAA Compliance Violations
| Violation | Endpoint | Details |
|---|---|---|
| Audit Log Tampering | /api/hipaa/audit-logs |
Can delete/modify audit trails |
| Unencrypted PHI Transfer | /api/hipaa/transfer/encrypted |
Returns encryption: none |
| Bulk PHI Export | /api/hipaa/export/bulk |
Mass data exfiltration |
| No Access Controls | All healthcare endpoints | No authentication/authorization |
Admin & System Vulnerabilities
Remote Code Execution
Direct Command Execution
POST /api/v1/admin/execute
{
"command": "cat /etc/passwd"
}
- No input validation
- Full system compromise
- No authorization required
Command Injection
POST /api/v1/admin/backup
{
"backup_path": "/tmp; cat /etc/passwd"
}
- Via backup operations
- Detects:
;,|,&,$,`
Privilege Escalation
Elevate Any User to Admin
POST /api/v1/admin/users/{user_id}/elevate
- No authentication check
- Self-elevation possible
- Complete access control bypass
Configuration Exposure
GET /api/v1/admin/config
Returns:
- Database credentials
- AWS access keys
- Stripe API keys
- JWT secrets
- Encryption keys
System Information Disclosure
GET /api/system/version
Exposes:
- Application version
- Python version
- Flask version
- OS information
- CVE reconnaissance enabled
Advanced Attack Vectors
XXE Injection
POST /api/hipaa/system/configuration
Content-Type: application/xml
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<config>&xxe;</config>
- File disclosure
- SSRF possible
- Configuration endpoint
SSRF Vulnerabilities
POST /api/hipaa/transfer/encrypted
{
"destination": "http://169.254.169.254/latest/meta-data/"
}
- Cloud metadata access
- Internal network scanning
- Credential harvesting
Insecure Deserialization
POST /api/admin/attack/deserialize
{
"data": "base64_pickle_payload"
}
- Python pickle exploitation
- Remote code execution
- Command execution
Attack Simulation Endpoints
The application includes an entire attack simulation blueprint with:
Reconnaissance
/api/recon/advanced- External services, tech stack/api/intelligence/gather- Executive data, credentials/api/employees/directory- All employee emails/roles/api/technologies/stack- Complete tech disclosure
Exploitation
/api/lateral/movement- Network traversal paths/api/privilege/escalation- Exploit simulation/api/credentials/harvest- Plaintext passwords/api/vulnerabilities/scan- CVE findings
Persistence
/api/persistence/establish- Scheduled tasks/api/backdoors/install- DNS tunneling, covert channels/api/domain/admin/impersonate- Kerberos tickets
Data Exfiltration
/api/exfiltration/channels- DNS/ICMP/steganography/api/communication/covert- C2 infrastructure/api/data/collect- Automated harvesting
OWASP Top 10 Coverage
| OWASP Category | Coverage | Examples |
|---|---|---|
| A01: Broken Access Control | ✅ Extensive | 50+ endpoints with no authorization |
| A02: Cryptographic Failures | ✅ Complete | MD5 passwords, weak tokens, plaintext secrets |
| A03: Injection | ✅ Multiple | SQL, Command, XXE, LDAP |
| A04: Insecure Design | ✅ Comprehensive | Race conditions, business logic flaws |
| A05: Security Misconfiguration | ✅ Widespread | Exposed internals, debug info, version disclosure |
| A06: Vulnerable Components | ✅ Simulated | Outdated dependencies, known CVEs |
| A07: Authentication Failures | ✅ Extensive | JWT bypass, timing attacks, session fixation |
| A08: Data Integrity Failures | ✅ Present | Insecure deserialization, audit tampering |
| A09: Security Logging Failures | ✅ Multiple | Log deletion, tampering, no integrity |
| A10: SSRF | ✅ Complete | Multiple SSRF vectors, cloud metadata |
Compliance Violations
Regulatory Non-Compliance
| Regulation | Violations | Examples |
|---|---|---|
| HIPAA | Massive PHI exposure | No encryption, audit tampering, bulk export |
| PCI DSS | Card data mishandling | CVV references, excessive storage, weak crypto |
| GDPR | Privacy violations | Mass PII export, no consent, no access controls |
| SOX | Financial manipulation | Audit destruction, balance tampering |
| AML/KYC | Money laundering | Transaction structuring, insufficient verification |
Testing Guide
Quick Exploitation Examples
Authentication Bypass
# SQL Injection
curl -X POST http://localhost:8080/api/v1/auth/login \
-d '{"username":"admin'\'' OR '\''1'\''='\''1","password":"x"}'
# JWT None Algorithm
curl -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ."
# Token Forgery
curl -X POST http://localhost:8080/api/oauth/token/forge
Data Exfiltration
# Export all users
curl http://localhost:8080/api/v1/admin/users/export
# Export medical records
curl http://localhost:8080/api/v1/healthcare/records
# Export genetic data
curl http://localhost:8080/api/medical/genetics/profiles
Remote Code Execution
# Direct command execution
curl -X POST http://localhost:8080/api/v1/admin/execute \
-d '{"command":"cat /etc/passwd"}'
# Command injection
curl -X POST http://localhost:8080/api/v1/admin/backup \
-d '{"backup_path":"/tmp; ls -la /"}'
Financial Fraud
# Reset account balance
curl -X POST http://localhost:8080/api/v1/banking/internal/reset-balance \
-d '{"account_id":"ACC001","new_balance":1000000}'
# Capture more than authorized
curl -X POST http://localhost:8080/api/v1/payments/capture \
-d '{"authorization_id":"auth_123","capture_amount":10000}'
Vulnerability Density by Module
Authentication
Admin
Healthcare
Banking
Payments
Usage Warning
This application is designed for security testing in isolated environments only. It contains real exploit code and should NEVER be deployed to production or exposed to the internet without proper WAF protection.
Safe Usage Guidelines
- Isolated Environment Only - Run in Docker/VM with no external access
- WAF Protection Required - Always run behind Chimera WAF for demos
- Regular Resets - Reset data frequently to prevent accumulation
- Access Control - Limit access to authorized security personnel
- No Real Data - Never use actual PII, PHI, or financial data
Related Documentation
- API Documentation - Complete API reference
- Endpoints Catalog - All endpoints with parameters
- Attack Simulation - Attack pattern reference
- Getting Started - Setup and configuration
Last Updated: April 2026 Total Vulnerabilities: 200+ OWASP Top 10: 100% Coverage