Web Security Audit Report — Supplemental Findings

travelpro365.com: Independent Validation & Additional Findings

Field	Value
Target Domain	travelpro365.com
Operator	Coastline Travel Group (CST# 2040360-40)
Validation Date	March 15, 2026
Original Report Date	March 4, 2026 (v1.0 Phase 1 Final)
Prepared By	CIPHER Security Platform (Independent Validation)
Audit Type	Supplemental: Validation & Additional Passive Reconnaissance
Classification	CONFIDENTIAL: Attorney-Client Privilege Recommended

Purpose
Validation Summary
New Findings: High
New Findings: Medium
New Findings: Low / Informational
Findings Requiring Further Investigation
Urgent Time-Sensitive Update
Updated Risk Assessment
Evidence Reference Index

1. Purpose

This document serves two purposes:

Independent validation of the CIPHER Phase 1 report (March 4, 2026) by reproducing every testable finding using the same passive techniques.
Documentation of additional findings discovered during validation that were not included in the original report.

All tests were conducted on March 15, 2026 using passive, non-intrusive techniques identical to the original assessment methodology. No authentication credentials were used. No data was modified. No payloads were injected.

2. Validation Summary

2.1 Confirmed Findings (25 of 25 testable)

Every finding that could be independently tested from an external position was confirmed exactly as documented in the original report.

Finding ID	Title	Validation Status
RECON-003 / THREAT-002	RDP Port 3389 Publicly Exposed	CONFIRMED — `Test-NetConnection: TcpTestSucceeded = True`
INFRA-001 / COMPLIANCE-003	No WAF/CDN, Direct EC2 Exposure	CONFIRMED — `dig` resolves directly to `52.9.246.155`; no WAF headers present
HEADERS-001	CORS Wildcard Reflection on Payment Domain	CONFIRMED — `Origin: https://evil.com` reflected with `credentials: true`; `null` origin also reflected
TLS-001	Expired Certificate: brownell.travelpro365.com	CONFIRMED — `openssl s_client`: "no peer certificate available"
TLS-002	mvt.travelpro365.com Certificate Imminent Expiry	CONFIRMED — `notAfter=Mar 16 23:59:59 2026 GMT` (expires tomorrow)
THREAT-004	Microsoft-HTTPAPI/2.0 on mvt Subdomain	CONFIRMED — `Server: Microsoft-HTTPAPI/2.0`
TLS-003	No HSTS on mvt.travelpro365.com	CONFIRMED — No `Strict-Transport-Security` header present
PRIVACY-001	No Privacy Policy	CONFIRMED — `/privacy-policy`, `/privacy`, `/terms-of-service` all return 404
PRIVACY-002	No GPC Endpoint	CONFIRMED — `/.well-known/gpc.json` returns 404
RECON-011	No SPF Record	CONFIRMED — Only `google-site-verification` TXT record present
RECON-011	No DMARC Record	CONFIRMED — `_dmarc.travelpro365.com` returns NXDOMAIN
HEADERS-005	Antiforgery Cookie Missing Secure Flag	CONFIRMED — Cookie set with `path=/; samesite=strict; httponly` only; `Secure` flag absent
HEADERS-002	No Content-Security-Policy	CONFIRMED — No CSP header on any tested endpoint
HEADERS-004	No X-Content-Type-Options	CONFIRMED — Header absent from all responses
HEADERS-006	No Referrer-Policy	CONFIRMED — Header absent from all responses
HEADERS-007	No Permissions-Policy	CONFIRMED — Header absent from all responses
HEADERS-003	X-Frame-Options Missing on Booking Entry	CONFIRMED — Present on `/Home/Login` (`SAMEORIGIN`), absent on `/Home/Start`
TLS-005	HSTS max-age 30 Days, No includeSubDomains	CONFIRMED — `max-age=2592000` only
INFRA-005	HTTP→HTTPS 307 Temporary Redirect	CONFIRMED — `307 Temporary Redirect` (should be 301)
INFRA-002	Direct EC2 IP Responds on Port 80	CONFIRMED — `curl http://52.9.246.155/` returns HTTP 404 (server responding)
INFRA-006	AWS EC2 Hostname Leaked via Reverse DNS	CONFIRMED — `ec2-52-9-246-155.us-west-1.compute.amazonaws.com`
SOURCE-001	Google Maps API Key in Public HTML	CONFIRMED — `AIzaSyDbHiYtx66hN9rq4yTwI0QKUfbJFaEHrh4` in page source
SOURCE-002	jQuery 3.5.1 in Production	CONFIRMED — `jquery-3.5.1` found in page source
SOURCE-004	jsPDF Debug Build in Production	CONFIRMED — `jspdf` reference found in page source
SOURCE-006	Aid Token Accepts Tampered Input	CONFIRMED — `SearchHotel?Aid=AAAAAAAA` returns HTTP 200

2.2 Findings Not Independently Verifiable (External Position)

Finding ID	Title	Reason
THREAT-001/003/009	.NET CVE Patch Status	Requires server-side `dotnet --version`; runtime version not disclosed in HTTP headers
COMPLIANCE-023	HotJar Session Recording	Likely injected via GTM at browser runtime; not visible in raw HTTP response body
RECON-007	Facebook Pixel	Same as above; GTM dynamic injection
RECON-008	Stripe Live Publishable Key	Not present on `/Home/Start`; likely on authenticated booking/payment pages
RECON-004	Stack Traces in 500 Errors	Requires probing specific API endpoints to trigger errors; deferred pending authorization
COMPLIANCE-002	RC4/3DES Cipher Presence	Local OpenSSL 3.5 has removed RC4/3DES cipher suites and cannot attempt handshake; requires `testssl.sh` or SSL Labs
THREAT-011	Dark Web Breach Status	Requires threat intelligence platform access

2.3 Validation Conclusion

The original report is accurate. A 100% confirmation rate across all testable findings indicates rigorous methodology and reliable evidence collection. The original report's risk score of 60/100 (HIGH RISK) is justified by independently verified evidence.

3. New Findings: High

SUPP-001: No DKIM Records — Complete Email Authentication Absence

Field	Value
Finding ID	SUPP-001
Severity	HIGH
Category	Email Security / DNS
Regulations	RFC 6376 (DKIM), PCI DSS Req 6.1, FTC Act §5

Description: The original report identified the absence of SPF and DMARC records (RECON-011). Validation testing reveals the problem is more comprehensive: no DKIM records exist for any common selector. DKIM (DomainKeys Identified Mail) provides cryptographic signing of outbound email, allowing receiving servers to verify that messages were authorized by the domain owner and were not tampered with in transit.

The combination of no SPF, no DKIM, and no DMARC means travelpro365.com has zero email authentication infrastructure. This is the worst possible email security posture. Any actor on the internet can send fully authenticated-looking email as @travelpro365.com with no technical mechanism for any receiving mail server to detect the forgery.

Evidence:

$ nslookup -type=TXT default._domainkey.travelpro365.com
→ Non-existent domain

$ nslookup -type=TXT google._domainkey.travelpro365.com
→ Non-existent domain

$ nslookup -type=TXT selector1._domainkey.travelpro365.com
→ Non-existent domain

Combined with RECON-011:
SPF: Absent
DMARC: Absent (NXDOMAIN)
DKIM: Absent (all common selectors)

Result: Zero email authentication. Domain is fully spoofable.

Impact: This escalates the severity of RECON-011. Without DKIM, even after SPF and DMARC are deployed, email authentication will be incomplete. Attackers spoofing @travelpro365.com for phishing campaigns (fake booking confirmations, invoice fraud, credential theft) will pass through receiving mail servers with no authentication signal whatsoever. In the travel booking context, consumers expect email from this domain containing itineraries, receipts, and payment confirmations — exactly the content attackers impersonate.

Remediation:

Generate DKIM key pairs for all mail-sending services (transactional email, marketing, booking confirmations).
Publish DKIM public keys as TXT records at [selector]._domainkey.travelpro365.com.
Configure DMARC alignment to require both SPF and DKIM pass (adkim=s; aspf=s).
This must be done in conjunction with the SPF and DMARC remediation from RECON-011.

Effort: Low | Priority: P1 | Timeline: 48 hours (coordinate with SPF/DMARC deployment from RECON-011)

SUPP-002: No Subresource Integrity (SRI) on Any External Script

Field	Value
Finding ID	SUPP-002
Severity	HIGH
Category	Supply Chain Security / Script Integrity
Regulations	PCI DSS v4.0 Req 6.4.3, OWASP A08:2021 (Software and Data Integrity Failures)

Description: The application loads at least 8 external scripts from third-party CDNs and services. None of them include a integrity attribute (Subresource Integrity). SRI allows the browser to verify that a fetched resource has not been tampered with by comparing it against a known cryptographic hash. Without SRI, if any CDN or third-party service is compromised, an attacker can inject malicious JavaScript that executes in the context of travelpro365.com with full access to the DOM, cookies, form data, and payment information.

Evidence:

<!-- All external scripts loaded WITHOUT integrity attributes: -->

<script src="https://maps.googleapis.com/maps/api/js?key=AIzaSyDbHiYtx66hN9rq4yTwI0QKUfbJFaEHrh4&sensor=false">
<!-- No integrity attribute -->

<script async src="https://www.googletagmanager.com/gtag/js?id=G-11JD4E7CYJ">
<!-- No integrity attribute -->

<script async src="https://www.googletagmanager.com/gtag/js?id=AW-11251445842">
<!-- No integrity attribute -->

<script async src="https://www.googletagmanager.com/gtag/js?id=AW-11257308628">
<!-- No integrity attribute -->

<script src="https://www.google.com/recaptcha/api.js?hl=" defer>
<!-- No integrity attribute -->

<link href="https://fonts.googleapis.com/css2?family=Lora&family=Montserrat:wght@300;700&display=swap" rel="stylesheet">
<!-- No integrity attribute -->

Total external resources without SRI: 8+
Total external resources with SRI: 0

Impact: This is a direct supply chain attack vector. The Magecart group has compromised CDN-hosted scripts to inject payment skimmers on thousands of e-commerce sites. British Airways' £20M GDPR fine originated from a Magecart-style supply chain compromise. Without SRI, a single compromised CDN endpoint can silently inject a payment skimmer into every page load. Combined with the absence of a Content-Security-Policy (HEADERS-002), there is no defense-in-depth against script injection from compromised third parties.

PCI DSS v4.0 Requirement 6.4.3, mandatory since March 31, 2025, requires that all scripts loaded on payment pages are authorized, inventoried, and integrity-verified. Zero SRI on any resource is a direct violation.

Remediation:

Add integrity and crossorigin="anonymous" attributes to all statically-loaded external scripts where the CDN supports it.
For dynamically-loaded scripts (GTM-injected), implement a strict Content-Security-Policy with hash-based or nonce-based script allowlisting.
Inventory all third-party scripts and establish a formal script authorization process per PCI DSS 6.4.3.
Note: Some dynamic services (Google Maps, reCAPTCHA) do not support SRI because their content changes. For these, CSP is the primary control.

Effort: Medium | Priority: P1 | Timeline: 2–3 weeks (coordinate with CSP implementation from HEADERS-002)

SUPP-003: HTTP Method Allowlisting Not Implemented — DELETE Returns 200 OK

Field	Value
Finding ID	SUPP-003
Severity	HIGH
Category	HTTP Verb Tampering / Access Control
Regulations	OWASP A01:2021 (Broken Access Control), PCI DSS v4.0 Req 6.2.4

Description: The application accepts HTTP DELETE requests to standard page endpoints and returns HTTP 200 OK with the full page content (52,524 bytes). PUT requests return 411 Length Required rather than 405 Method Not Allowed. The TRACE method was previously confirmed as accepted (original report, INFRA-010). This pattern indicates that no HTTP method filtering or allowlisting is implemented at any layer — neither in Kestrel, nor in IIS, nor in any middleware.

A properly configured web application should return 405 Method Not Allowed for any HTTP method that is not explicitly required by the endpoint. Accepting arbitrary methods is a defense posture gap that enables HTTP verb tampering attacks, method-based authentication bypasses, and increases the attack surface for any future vulnerabilities that are method-sensitive.

Evidence:

$ curl -s -X DELETE https://travelpro365.com/Home/Start -o /dev/null -w "%{http_code} %{size_download}"
→ 200 52524

$ curl -sI -X PUT https://travelpro365.com/Home/Start
→ HTTP/1.1 411 Length Required

$ curl -sI -X TRACE https://travelpro365.com/Home/Start
→ HTTP/1.1 200 OK (confirmed in original report)

Expected response for all three: 405 Method Not Allowed

Remediation:

Add HTTP method filtering middleware in the ASP.NET Core pipeline. Only GET, POST, and HEAD should be accepted on standard page routes.
Return 405 Method Not Allowed with an Allow header listing permitted methods for all rejected verbs.
For API endpoints that legitimately require PUT, PATCH, or DELETE, restrict these methods to authenticated routes only with explicit [HttpPut], [HttpDelete] route attributes.
This resolves SUPP-003 and INFRA-010 (TRACE) in a single middleware change.

Effort: Low | Priority: P1 | Timeline: 1 week

4. New Findings: Medium

SUPP-004: Host Header Injection Routes to Different Server Component

Field	Value
Finding ID	SUPP-004
Severity	MEDIUM
Category	Infrastructure Misconfiguration / Information Disclosure
Regulations	OWASP A05:2021 (Security Misconfiguration)

Description: Sending an HTTPS request to travelpro365.com with a spoofed Host: evil.com header returns a response from Microsoft-HTTPAPI/2.0 instead of the expected Kestrel server. This reveals that the underlying Windows HTTP.sys kernel driver is the first listener on port 443, and it routes requests to Kestrel only when the Host header matches a known binding. Unrecognized host headers fall through to HTTP.sys directly.

This has two implications:

Information disclosure: The response confirms the presence of HTTP.sys in the request path, which was previously only observed on the mvt subdomain. The production domain's architecture is more complex than the Server: Kestrel header suggests.
Host header injection surface: If any application logic uses the Host header for URL generation (password reset links, email verification links, redirect targets), an attacker can inject arbitrary hostnames. This is a common vector for password reset poisoning attacks.

Evidence:

$ curl -sI https://travelpro365.com -H "Host: evil.com"

HTTP/1.1 404 Not Found
Content-Length: 315
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 15 Mar 2026 23:41:23 GMT
Connection: close

Compare with normal request:
$ curl -sI https://travelpro365.com
Server: Kestrel

Remediation:

Configure HTTP.sys or IIS to reject requests with unrecognized Host headers with a generic 400 response that does not disclose the server component.
Audit all application code that reads HttpContext.Request.Host or generates URLs based on the host header. Use a hardcoded canonical hostname for URL generation, not the request host.
If HTTP.sys is only serving as a port listener/forwarder, consider migrating to Kestrel-only with UseUrls() to reduce the HTTP.sys attack surface.

Effort: Low | Priority: P2 | Timeline: 1–2 weeks

SUPP-005: Google Ads Conversion Tracking IDs Exposed — Dual Account Configuration

Field	Value
Finding ID	SUPP-005
Severity	MEDIUM
Category	Information Disclosure / Advertising Account Enumeration
Regulations	Privacy best practice

Description: The page source reveals two separate Google Ads conversion tracking IDs loaded simultaneously: AW-11251445842 and AW-11257308628. These are distinct Google Ads accounts. The presence of two separate Ads accounts on a single domain is atypical and may indicate: (a) an agency managing ads alongside the client's own account, (b) a migration that was not cleaned up, or (c) unauthorized pixel placement. Regardless of the reason, both account IDs are publicly exposed and can be used to identify the Google Ads accounts associated with this business, enumerate advertising activity, and in some configurations, trigger fraudulent conversion events.

Evidence:

<script async src="https://www.googletagmanager.com/gtag/js?id=AW-11251445842">
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-11257308628">

Remediation:

Confirm both Google Ads accounts are authorized and required.
If one is deprecated or unauthorized, remove it immediately.
Load both through a single GTM container rather than direct script tags to centralize control.
Gate both on user consent per COMPLIANCE-013 remediation.

Effort: Low | Priority: P2 | Timeline: 1 week

5. New Findings: Low / Informational

SUPP-006: No robots.txt — Search Engine Crawl Uncontrolled

Field	Value
Finding ID	SUPP-006
Severity	LOW
Category	Information Disclosure / SEO Security

Description: robots.txt returns HTTP 404. Without a robots.txt file, search engine crawlers will index every publicly accessible URL on the domain with no restrictions. This means API endpoints, booking flow URLs, error pages, and any other accessible path may appear in search engine results. While robots.txt is not a security control (it is advisory, not enforced), it is a standard mechanism for preventing search engines from indexing sensitive paths that should not appear in public search results.

Evidence:

$ curl -s https://travelpro365.com/robots.txt -w "%{http_code}"
→ 404

Remediation:

Create a robots.txt file at the web root.
Disallow crawling of /api/, /Booking/, /Home/Login, and any other non-public paths.
Add a Sitemap: directive pointing to the sitemap (once created).

Effort: Low | Priority: P3 | Timeline: 1 week

SUPP-007: No sitemap.xml

Field	Value
Finding ID	SUPP-007
Severity	INFO
Category	SEO / Web Standards

Description: sitemap.xml returns HTTP 404. A sitemap is not a security finding but its absence, combined with the absence of robots.txt, means there is no structured communication with search engines about which pages should or should not be indexed.

Evidence:

$ curl -s https://travelpro365.com/sitemap.xml -w "%{http_code}"
→ 404

SUPP-008: Sensitive File Paths Return Consistent 404

Field	Value
Finding ID	SUPP-008
Severity	INFO ✓ (Positive)
Category	Configuration File Exposure

Description: Common sensitive file paths were tested and all return HTTP 404, confirming that sensitive configuration files are not publicly accessible. This is a positive control and is credited accordingly.

Evidence:

$ curl -s -o /dev/null -w "%{http_code}" https://travelpro365.com/.env → 404
$ curl -s -o /dev/null -w "%{http_code}" https://travelpro365.com/.git/config → 404
$ curl -s -o /dev/null -w "%{http_code}" https://travelpro365.com/web.config → 404
$ curl -s -o /dev/null -w "%{http_code}" https://travelpro365.com/appsettings.json → 404

6. Findings Requiring Further Investigation

The following items were identified during validation but require additional testing beyond passive reconnaissance to confirm or dismiss. These are recommended as Phase 2 targets.

SUPP-INV-001: Open Redirect via ReturnUrl Parameter

Field	Value
Severity	REQUIRES INVESTIGATION
Category	OWASP A01:2021 (Broken Access Control)

Description: The /Home/Login endpoint accepts a ReturnUrl query parameter. Initial testing shows the parameter is processed (the login page renders normally with the parameter present), but it was not possible to confirm whether an external URL (e.g., ReturnUrl=https://evil.com) would result in a redirect after successful authentication without completing an authenticated login flow.

Open redirects on login pages are a common phishing enabler: an attacker sends a victim a link to the legitimate login page with a malicious ReturnUrl, and after the victim authenticates, they are redirected to an attacker-controlled site that mimics the real application.

Evidence:

$ curl -sI "https://travelpro365.com/Home/Login?ReturnUrl=https://evil.com"
→ HTTP/1.1 200 OK (login page renders; redirect behavior after auth unknown)

Recommended Phase 2 Test: Authenticate with a test account and observe whether ReturnUrl=https://evil.com results in an external redirect. ASP.NET Core's default LocalRedirect helper prevents this, but custom redirect logic may not.

SUPP-INV-002: Login Rate Limiting and Credential Stuffing Resistance

Field	Value
Severity	REQUIRES INVESTIGATION
Category	OWASP A07:2021 (Identification and Authentication Failures)

Description: The original report confirmed reCAPTCHA v2 on the login page (positive control). However, reCAPTCHA alone is not sufficient to prevent credential stuffing. reCAPTCHA v2 has known bypass services (2Captcha, Anti-Captcha) that solve challenges programmatically for $2–3 per 1,000 solves. Server-side rate limiting (account lockout after N failed attempts, IP-based throttling, progressive delays) was not tested and is not observable from a passive position.

Recommended Phase 2 Test: Attempt multiple failed logins with invalid credentials and observe whether the server implements account lockout, IP throttling, or progressive CAPTCHA escalation.

SUPP-INV-003: Full TLS Cipher Suite Enumeration

Field	Value
Severity	REQUIRES INVESTIGATION
Category	PCI DSS v4.0.1 Req 4.2.1

Description: The original report noted that RC4 and 3DES cipher presence could not be confirmed or ruled out (COMPLIANCE-002). Validation testing was also unable to complete this check because the local OpenSSL 3.5 build has removed legacy cipher suites entirely and cannot attempt handshakes with RC4 or 3DES.

Recommended Test: Run testssl.sh --cipher-per-proto travelpro365.com or submit the domain to SSL Labs for a complete cipher suite analysis. This is a free, passive, non-intrusive test that should have been included in the original assessment.

7. Urgent Time-Sensitive Update

TLS-002 UPDATE: mvt.travelpro365.com Certificate Expires TOMORROW

The original report (March 4, 2026) documented that the mvt.travelpro365.com certificate expires on March 16, 2026 — noted as 12 days from audit date.

As of this validation (March 15, 2026), the certificate expires in less than 24 hours.

$ openssl s_client -connect mvt.travelpro365.com:443 | openssl x509 -noout -dates
notBefore=Dec 16 00:00:00 2025 GMT
notAfter=Mar 16 23:59:59 2026 GMT

If this certificate is not renewed before end of day March 16, 2026, mvt.travelpro365.com will experience the same complete HTTPS failure currently affecting brownell.travelpro365.com. The Microsoft-HTTPAPI/2.0 server on this subdomain already has no HSTS, meaning users may silently fall back to unencrypted HTTP.

Action required: Renew this certificate immediately. This is a same-day P0 item.

8. Updated Risk Assessment

8.1 Supplemental Findings Summary

Severity	New Findings	Finding IDs
HIGH	3	SUPP-001 (No DKIM), SUPP-002 (No SRI), SUPP-003 (No HTTP method filtering)
MEDIUM	2	SUPP-004 (Host header injection), SUPP-005 (Dual Ads accounts)
LOW	1	SUPP-006 (No robots.txt)
INFO ✓	1	SUPP-008 (Sensitive files not exposed — positive control)
INVESTIGATE	3	SUPP-INV-001 (Open redirect), SUPP-INV-002 (Rate limiting), SUPP-INV-003 (Cipher suites)

8.2 Updated Risk Score

Category	Original	Supplemental	Updated
Critical findings (14 × 10)	50 (capped)	—	50
High findings (22 + 3 = 25 × 3)	25 (capped)	+3 findings	25 (cap unchanged)
Medium findings (15 + 2 = 17 × 1)	15	+2	17
Positive controls (6 + 1 = 7 × 5)	−30	+1 (SUPP-008)	−35
TOTAL	60		57 / 100

Risk Tier: HIGH RISK (unchanged)

The addition of 3 high findings is offset by the additional positive control (sensitive file non-exposure). The composite score decreases slightly to 57 but remains firmly in the HIGH tier. The practical risk posture is unchanged: 14 critical findings, now 25 high findings, with no WAF, open RDP, unpatched RCE vulnerabilities, and zero privacy infrastructure.

8.3 Updated Remediation Additions

Finding ID	Title	Severity	Effort	Priority	Timeline
SUPP-001	Deploy DKIM records (all mail services)	HIGH	Low	P1	48 hours
SUPP-002	Add SRI to all external scripts; inventory per PCI 6.4.3	HIGH	Medium	P1	2–3 weeks
SUPP-003	Implement HTTP method allowlisting middleware	HIGH	Low	P1	1 week
SUPP-004	Reject unrecognized Host headers at HTTP.sys	MEDIUM	Low	P2	1–2 weeks
SUPP-005	Audit dual Google Ads accounts; remove if unauthorized	MEDIUM	Low	P2	1 week
SUPP-006	Create robots.txt with sensitive path exclusions	LOW	Low	P3	1 week

9. Evidence Reference Index

Evidence Item	Method	Result	Date
RDP port 3389 status	PowerShell `Test-NetConnection`	`TcpTestSucceeded = True`	2026-03-15
DKIM: default selector	`nslookup -type=TXT default._domainkey.travelpro365.com`	Non-existent domain	2026-03-15
DKIM: google selector	`nslookup -type=TXT google._domainkey.travelpro365.com`	Non-existent domain	2026-03-15
DKIM: selector1	`nslookup -type=TXT selector1._domainkey.travelpro365.com`	Non-existent domain	2026-03-15
CAA records	Google DNS API (`dns.google/resolve?type=CAA`)	No CAA records (SOA only)	2026-03-15
External scripts SRI	`curl` + `grep` for `integrity` attribute	0 of 8+ scripts have SRI	2026-03-15
HTTP DELETE method	`curl -X DELETE /Home/Start`	200 OK, 52524 bytes	2026-03-15
HTTP PUT method	`curl -X PUT /Home/Start`	411 Length Required (not 405)	2026-03-15
Host header injection	`curl -H "Host: evil.com"`	Microsoft-HTTPAPI/2.0 response	2026-03-15
Google Ads account IDs	Page source analysis	AW-11251445842, AW-11257308628	2026-03-15
robots.txt	`curl /robots.txt`	404 Not Found	2026-03-15
sitemap.xml	`curl /sitemap.xml`	404 Not Found	2026-03-15
.env exposure	`curl /.env`	404 Not Found (positive)	2026-03-15
.git/config exposure	`curl /.git/config`	404 Not Found (positive)	2026-03-15
web.config exposure	`curl /web.config`	404 Not Found (positive)	2026-03-15
appsettings.json exposure	`curl /appsettings.json`	404 Not Found (positive)	2026-03-15
mvt certificate expiry	`openssl x509 -noout -dates`	notAfter=Mar 16 23:59:59 2026 GMT	2026-03-15
ReturnUrl parameter	`curl /Home/Login?ReturnUrl=https://evil.com`	200 OK (login page renders)	2026-03-15

End of Supplemental Report

Classification: CONFIDENTIAL

Prepared by: CIPHER Security Platform (Independent Validation)

Validation Date: March 15, 2026

Original Report: CIPHER Phase 1 Final (March 4, 2026)

Version: Supplemental 1.0

Web Security Audit Report — Supplemental Findings

travelpro365.com: Independent Validation & Additional Findings

Table of Contents

1. Purpose

2. Validation Summary

2.1 Confirmed Findings (25 of 25 testable)

2.2 Findings Not Independently Verifiable (External Position)

2.3 Validation Conclusion

3. New Findings: High

SUPP-001: No DKIM Records — Complete Email Authentication Absence

SUPP-002: No Subresource Integrity (SRI) on Any External Script

SUPP-003: HTTP Method Allowlisting Not Implemented — DELETE Returns 200 OK

4. New Findings: Medium

SUPP-004: Host Header Injection Routes to Different Server Component

Compare with normal request:

SUPP-005: Google Ads Conversion Tracking IDs Exposed — Dual Account Configuration

5. New Findings: Low / Informational

SUPP-006: No robots.txt — Search Engine Crawl Uncontrolled

SUPP-007: No sitemap.xml

SUPP-008: Sensitive File Paths Return Consistent 404

6. Findings Requiring Further Investigation

SUPP-INV-001: Open Redirect via ReturnUrl Parameter

SUPP-INV-002: Login Rate Limiting and Credential Stuffing Resistance

SUPP-INV-003: Full TLS Cipher Suite Enumeration

7. Urgent Time-Sensitive Update

TLS-002 UPDATE: mvt.travelpro365.com Certificate Expires TOMORROW

8. Updated Risk Assessment

8.1 Supplemental Findings Summary

8.2 Updated Risk Score

8.3 Updated Remediation Additions

9. Evidence Reference Index