matt-taylor.tech
← Back to projects

Work · Affinity Group ecosystem

Authorized penetration testing

nmap subfinder SecLists Custom shell scripts Python traffic analyzer CVE / CVSS analysis

External web-application penetration tests on three production web properties (affinitynxt.com, mascarinxt.com, repfocus.ai) operated by a third-party developer in the Affinity Group ecosystem, May 2026. Authorized internal testing with written authorization on file. 47 findings total: 7 critical plus 40 medium and low.

Methodology

OSCP-style external assessment: reconnaissance, fingerprinting, content discovery, exploitation, pivot, reporting. Subdomain enumeration via subfinder, port scanning with nmap, TLS fingerprinting, content discovery with SecLists wordlists (raft-medium-dirs, top-10k-passwords, common.txt), credential validation against cloud auth endpoints (GCP), CVE research and CVSS-based risk prioritization.

Critical findings (selected)

  • Demonstrated unauthenticated remote code execution on production affinitynxt.com via an unauthenticated admin panel accepting arbitrary file uploads. Benign proof-of-concept executed under written authorization.
  • Supply-chain attack chain identified: the admin-panel file replacement on a customer newsletter would deliver attacker-controlled files to ~21,000 customer rows through a trusted channel.
  • Live Google Cloud service account RSA private key publicly readable on mascarinxt.com. Exploitation confirmed via successful GCP token acquisition.
  • Same active GCP key exposed at the same path on repfocus.ai after pivoting via hardcoded API references in mascarinxt.com's Cloud Function source code.
  • Snowflake RSA private keys exposed in publicly readable application directories.
  • Customer CRM data leak: ~21,000 rows across 13 months including school-district contacts, sales-rep contact info, supplier relationships, and dashboard access tokens.
  • McCormick & Company vendor materials exposure: 54 NDA-covered playbooks, rebate structures, and innovation decks publicly downloadable.
  • Account takeover chain via exposed employee email list plus an unauthenticated activate.php endpoint with no CAPTCHA or rate limiting. Live forced re-activation of an employee account confirmed during testing.
  • Second admin panel at api.affinitynxt.com with no IP restriction, no rate limit, no lockout. Full 89-password wordlist completed without throttling.
  • End-of-life PHP stack (8.0.30, EOL since November 2023) with 14+ unpatched CVEs including CVE-2024-4577 (RCE, actively exploited in the wild) on shared Namecheap hosting.

Reporting

Formal Markdown reports for each target with severity ratings, CVE mapping, evidence preservation, exploit chains, and prioritized remediation guidance. Output suitable for both technical and executive audiences. Plus a 3-minute executive brief with a "30-minute decision today" ask covering immediate exposure closure, secret rotation, vendor notification recommendation, and remediation roadmap acceptance.