White-box security assessment of 13 Bitbucket repositories, grounded in the OWASP Top 10 (2021), OWASP API Security Top 10 (2023), OWASP MASVS, CWE, CVSS 3.1 and NIST CSF 2.0. Each finding was produced by skill-driven scanners and confirmed by an adversarial verification pass. Click any repository for its full report, or open the cross-repo correlation analysis. Generated 2026-05-30.
Every repository was assessed by automated scanners that apply formal offensive-security playbooks (the anthropic-cybersecurity-skills library — OWASP WSTG, API Top 10, MASVS and CWE methodology), one scanner per security dimension. An adversarial red-team reviewer then re-opened each cited file:line to confirm or reject the finding, killing false positives, deduplicating, and assigning CVSS 3.1 vectors, CWE ids and OWASP categories. Findings are evidence-backed and severity-rated P0–P3.
injection · broken-access-control · auth/JWT/OAuth · secrets & cryptography · SSRF/CSRF/CORS/misconfig · supply-chain & CI/CD · business-logic & race · mobile storage/transport/IPC · client-side XSS & token handling — backed by 44 distinct skill playbooks across 60 scanner runs and 13 verification passes.The deep audit confirmed production secrets committed across multiple backends, all recoverable from git history. Rotating at the provider is the only real fix (git rm does not remove history). Order matters — start with the credential that unlocks everything else. Full cross-repo blast-radius analysis: Cross-Repo Correlation →
README + AppDelegate.swift. These unlock every repository in this dashboard, so revoke them FIRST at bitbucket.org/account/settings/app-passwords. Also: APNS .p8 key and a privileged Intercom token.client_secret+refresh-token pairs, Slack/Monday tokens, DB password, Stripe keys, and a Passport RSA .pem — all committed and loaded at runtime. A leaked APP_KEY here enables Passport token forgery..env (Twilio/MySQL/APP_KEY), tracked Passport oauth-private.key, hardcoded Slack webhooks, and a static urgent_otp backdoor.eas.json/google-services.json.master to a personal GitHub account on every commit. Audit that account; revoke the pipeline credential.How many of the 13 repositories are vulnerable in each category (repos where the category does not apply are excluded). Security misconfiguration, outdated components, cryptographic failures and authentication failures are near-universal.
| Category | Repos affected | Vuln | Partial | Clean |
|---|---|---|---|---|
| A05 Security Misconfiguration | 10 | 2 | 0 | |
| A06 Vulnerable / Outdated Components | 10 | 0 | 2 | |
| A02 Cryptographic Failures | 9 | 0 | 2 | |
| A07 Identification & Authentication Failures | 8 | 0 | 0 | |
| A01 Broken Access Control | 7 | 0 | 1 | |
| A03 Injection | 6 | 1 | 4 | |
| A08 Software & Data Integrity Failures | 6 | 5 | 0 | |
| A04 Insecure Design | 3 | 6 | 1 | |
| A09 Logging & Monitoring Failures | 3 | 6 | 0 | |
| A10 Server-Side Request Forgery | 2 | 2 | 0 |
Hash-verified secret reuse across the estate. Full analysis, attack chains & org-level program: Cross-Repo Correlation →
a-list-ios unlocks all 13 repos → harvest every secret below.a-list-demo and alist-v2 commit live DB credentials that match the active alist-partner API's (same name/user, shared password) — dead code is a live data-breach path.dev-*.alist.ae URL is hardcoded in 7 repos, including the production mobile builds.The live platform centres on the alist-portal Laravel monolith; mobile and web clients all consume its REST API. A flaw or leaked credential in one repo frequently exposes others — see the correlation analysis for shared trust boundaries.
PHP / Laravel — platform core backend
The single monolith behind admin, vendor & creator portals and the mobile REST API. Critical across nearly every OWASP category.
PHP 8.2 / Laravel 11 — partner API
REST API for the partner/merchant portal (Twilio OTP + Passport). Highest P0 count in the estate.
urgent_otp backdoorSwift / UIKit — production iOS
Native iOS client. Committed secrets + disabled transport security enable an account-takeover chain.
Expo SDK 54 / React Native / TS
Cross-platform Expo client (builds iOS, Android, web). Solid foundation undermined by a committed privileged token.
Next.js 15 / React 19 / TS — vendor admin
Next.js admin dashboard against the partner Laravel API. Auth and XSS issues dominate.
dangerouslySetInnerHTML sinks render API HTML (XSS)Create React App / TS — creators.ae
Marketing site with email capture posting to monday.com directly from the browser.
Vue 3 SPA — public marketing
Vue 3 SPA fed by Strapi, posting signups/careers/OAuth to a separate PHP backend.
Static HTML / CSS / vanilla JS
Single-page brochure site. No backend, no dependencies — smallest attack surface in the estate.
Laravel 6 / PHP 7.2 — frozen 2020 fork
Demo/staging fork of alist-portal, frozen since 2020 but still holding live credentials.
Laravel 9 + Vue 3 — abandoned rewrite
Admin-panel rewrite wired to two MySQL DBs; the v1↔v2 sync was disabled in the final 2023 commit.
Strapi 4.14.4 / Node
Strapi v4 CMS backing alist-website. Single 2023 commit; ~18 months of missing patches.
Vue 3 + Vite — UI prototype
Vue 3 vendor-portal prototype: fake auth and hardcoded voucher logic. Superseded by alist-vendors.
Create React App / React 18 / TS
Static marketing page that redirects to an external registration form. No backend, no API calls.