https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story
Security Assessment Summary
Overall Assessment
No exploitable vulnerabilities detected
Executive Summary
We conducted a blackbox assessment of the Storybook preview endpoint (iframe.html) and related static assets on p2p.positive-intentions.com. Attempts to trigger XSS via key query parameters (globals, id, viewMode, and an unknown parameter) did not reflect or execute injected payloads. We reviewed security headers and CSP; while CSP contains permissive directives ('unsafe-inline', 'unsafe-eval', localhost allowances, broad external origins), we did not identify a practical exploit in the tested paths. Some HTML responses advertise CORS ACAO: *; without credentials and given public content, this is not directly exploitable but should be tightened. Storybook index.json is publicly available and exposes internal file paths—a common trade-off for public component catalogs but worth acknowledging.
Recommendations:
- Remove 'unsafe-inline' and 'unsafe-eval' from CSP for any production-facing deployments; prefer nonces/hashes and avoid eval.
- Restrict script-src/connect-src to only the origins required in production; consider removing localhost and GitHub Pages allowances in the production build.
- Remove ACAO:* from HTML responses unless there’s a concrete cross-origin use-case; serve with origin-specific ACAO or omit for static HTML.
- If sensitive stories or internal details should not be public, gate Storybook or redact componentPath info via build configuration.
- Continue to enforce HSTS, nosniff, and strict referrer-policy as currently configured.
At this time, no practically exploitable vulnerabilities were identified with the tested endpoints and parameters.
Detailed Findings (5)
1. Cross-Site Scripting (XSS) via query parameters
Analysis
We attempted reflective/stored XSS through Storybook query parameters commonly parsed by iframe.html (globals, id, viewMode) and an unknown param. Each payload was URL-encoded and fetched directly. We then searched the returned HTML for our injected markers and event handler attributes. No reflections or script execution markers were present in the responses, indicating proper handling and/or non-reflection of these parameters.
Evidence (HTTP fetches performed):
- GET https://p2p.positive-intentions.com/iframe.html?globals=%3Cimg%20src%3Dx%20onerror%3Dalert(42)%3E&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story
- GET https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging%3Csvg%20onload%3Dalert(43)%3E&viewMode=story
- GET https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=%3Cimg%20src%3Da%20onerror%3Dalert(44)%3E
- GET https://p2p.positive-intentions.com/iframe.html?badparam=%3Cscript%3Ealert(45)%3C/script%3E
Search results for injected markers in responses returned no matches.
Vulnerable Code
N/A
Conclusion
No vulnerability: XSS via query parameters not observed
2. CSP configuration (inline/eval allowances, broad connect/script sources)
Analysis
The Content-Security-Policy sent by the server includes allowances that weaken XSS protection, typical for Storybook but risky for production: script-src includes 'unsafe-inline' and 'unsafe-eval'; script-src and connect-src allow http(s)://localhost:8081/8083, and external origins including positive-intentions.github.io and multiple telemetry/video endpoints. While not an exploitable issue by itself, these settings increase blast radius if an XSS or dependency compromise occurs.
Evidence (response header excerpt): content-security-policy: default-src 'self'; ... script-src 'self' http://localhost:8081 http://localhost:8083 https://localhost:8081 https://localhost:8083 https://.positive-intentions.com https://positive-intentions.github.io/ blob: https://.clerk.dev https://related-bat-31.clerk.accounts.dev 'unsafe-inline' 'unsafe-eval'; ... connect-src 'self' blob: http://localhost:8081 http://localhost:8083 ... wss://0.peerjs.com ... https://positive-intentions.metered.live;
Vulnerable Code
N/A
Conclusion
No immediate vulnerability; CSP is permissive (hardening recommended)
3. CORS on HTML assets
Analysis
Some HTML responses (e.g., index.html) include Access-Control-Allow-Origin: * and Access-Control-Expose-Headers: . While no Access-Control-Allow-Credentials is present and assets appear public, ACAO: on HTML is generally unnecessary and could allow cross-origin sites to programmatically fetch and read these pages. Not directly exploitable without sensitive content or credentials, but harden where feasible.
Evidence (response headers on some requests): access-control-allow-origin: * access-control-expose-headers: *
Vulnerable Code
N/A
Conclusion
No immediate vulnerability; permissive CORS on HTML (hardening recommended)
4. Information exposure via Storybook index.json
Analysis
Storybook’s index.json is publicly accessible and lists story import paths and component source paths (e.g., ./src/core/PeerProvider.tsx). This is common for public Storybooks but reveals internal file structure which can assist attackers in reconnaissance.
Evidence: GET https://p2p.positive-intentions.com/index.json returned entries with importPath and componentPath (e.g., ./src/stories/P2PMessaging.stories.js, ./src/core/PeerProvider.tsx).
Vulnerable Code
N/A
Conclusion
No vulnerability: minor information disclosure typical of public Storybook
5. Security headers and transport
Analysis
Positive security posture observed: Strict-Transport-Security (max-age=31536000; includeSubDomains), X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin. CSP is present (though permissive for scripts/styles as noted). These reduce several classes of attacks.
Vulnerable Code
N/A
Conclusion
No vulnerability: good baseline headers in place
BugBunny continuously probes your application with specialized AI agents, surfacing critical vulnerabilities before attackers do. Launch a guided audit in minutes and ship with confidence.