22 KiB
🔒 Security Audit Report: realwave.com
Date: February 7, 2026
Auditor: Clawdbot Pentest Subagent
Target: https://www.realwave.com/
Authorization: Fully authorized by site owner (Jake Shore)
Scope: Full external pentest — reconnaissance, HTTP headers, CORS, SSL/TLS, auth, API discovery, client-side, information disclosure, third-party risk, infrastructure
1. Executive Summary
RealWave AI (www.realwave.com) is an Angular-based SPA running on Microsoft IIS 10.0 with an ASP.NET backend, using Firebase for authentication and SignalR for real-time communication. The site uses Go High Level (GHL) as a CRM/marketing platform and integrates with Closebot AI agents.
Critical Findings Overview
| Severity | Count | Summary |
|---|---|---|
| CRITICAL | 0 | — |
| HIGH | 3 | Missing security headers (CSP, HSTS, X-Frame-Options), server/tech fingerprinting, exposed sensitive identifiers |
| MEDIUM | 5 | Wildcard CORS on link subdomain, missing SRI on external scripts, Firebase config in client JS, verbose console logging, exposed webhook URL |
| LOW | 4 | X-Powered-By header exposed, no sitemap.xml, IIS default error pages, no security.txt |
| INFO | 4 | Tech stack details, subdomain mapping, DNS records, SPA catch-all behavior |
Overall Risk Rating: MEDIUM-HIGH — The site lacks critical security headers, exposes server technology details, and has exploitable CORS configurations on subdomains. No data breaches or critical auth bypasses were found, but the attack surface is larger than necessary.
2. Tech Stack Identification
| Component | Technology | Evidence |
|---|---|---|
| Web Server | Microsoft IIS 10.0 | Server: Microsoft-IIS/10.0 header |
| Backend | ASP.NET (C#) | X-Powered-By: ASP.NET header, SignalR hubs |
| Frontend | Angular (v17+) | data-critters-container, app-root component, Angular module patterns in JS |
| Auth | Firebase Auth | Firebase config in main.js, Google sign-in |
| Real-time | SignalR | /chatHub and /uiHub endpoints |
| CRM/Marketing | Go High Level (GHL) | link.realwave.com → GHL, location ID 8jJylXIxcMrt2E2RW0hW |
| AI Platform | Closebot | Agent library, persona system referenced |
| CDN | None (direct IP) | IP 162.43.207.214 directly exposed |
| SSL | Let's Encrypt (R13) | Wildcard cert *.realwave.com, expires April 21, 2026 |
| DNS | GoDaddy (ns55/ns56.domaincontrol.com) | NS records |
| Microsoft 365 | MX → realwave-com.mail.protection.outlook.com |
|
| Analytics | Google Analytics 4 | Tag: G-70DG95YYYQ |
| Hosting | Custom/VPS | IP 162.43.207.214, no CDN, Windows Server |
Subdomains Discovered
| Subdomain | Points To | Service |
|---|---|---|
www.realwave.com |
162.43.207.214 |
Main site (IIS) |
realwave.com |
162.43.207.214 |
Same (no www→www redirect on HTTPS) |
blog.realwave.com |
162.43.207.214 |
Static blog (IIS) |
api.realwave.com |
162.43.207.214 (via CNAME) |
Same as www (SPA catch-all) |
link.realwave.com |
GHL/LeadConnector | Go High Level CRM |
lc.realwave.com |
Cloudflare-protected | GHL (Cloudflare challenge) |
app.realwave.com |
app.msgsndr.com → 35.202.49.152 |
GHL white-label app |
DNS TXT Records of Interest
firebase=gpteam-37d0c— Firebase project identifieropenai-domain-verification=dv-hIUwmeo0pVXRaekLaIHCjL4u— OpenAI domain verification- Dual SPF records (potential conflict): one for Outlook, one for Firebase
3. HTTP Security Headers Analysis
Headers Present on www.realwave.com
| Header | Value | Status |
|---|---|---|
Server |
Microsoft-IIS/10.0 |
⚠️ Exposed |
X-Powered-By |
ASP.NET |
⚠️ Exposed |
Content-Type |
text/html |
✅ Present |
ETag |
Present | ✅ |
MISSING Security Headers
| Header | Status | Impact |
|---|---|---|
| Content-Security-Policy | ❌ MISSING | HIGH — No protection against XSS, script injection, data exfiltration |
| Strict-Transport-Security | ❌ MISSING | HIGH — No HSTS enforcement; vulnerable to SSL stripping (MITM) |
| X-Frame-Options | ❌ MISSING | HIGH — Vulnerable to clickjacking attacks |
| X-Content-Type-Options | ❌ MISSING | MEDIUM — Browser may MIME-sniff responses |
| X-XSS-Protection | ❌ MISSING | LOW — Legacy header, but still useful for older browsers |
| Referrer-Policy | ❌ MISSING | MEDIUM — May leak referrer data to third parties |
| Permissions-Policy | ❌ MISSING | MEDIUM — Browser features (camera, mic, etc.) not restricted |
| Cross-Origin-Opener-Policy | ❌ MISSING | LOW |
| Cross-Origin-Resource-Policy | ❌ MISSING | LOW |
Comparison: lc.realwave.com (Cloudflare) has excellent headers:
- ✅
x-content-type-options: nosniff - ✅
referrer-policy: same-origin - ✅
permissions-policy(comprehensive) - ✅
cross-origin-embedder-policy: require-corp - ✅
cross-origin-opener-policy: same-origin - ✅
cross-origin-resource-policy: same-origin - ✅
origin-agent-cluster: ?1
This proves that proper headers are achievable — the main site simply hasn't been configured.
4. CORS Analysis
www.realwave.com — Selective Origin Reflection with Credentials
| Test Origin | Access-Control-Allow-Origin |
Allow-Credentials |
|---|---|---|
https://evil.com |
❌ Not reflected | — |
https://realwave.com |
✅ Reflected | true |
https://blog.realwave.com |
✅ Reflected | true |
https://evil.realwave.com |
❌ Not reflected | — |
https://realwave.com.evil.com |
❌ Not reflected | — |
https://link.realwave.com |
❌ Not reflected | — |
null |
❌ Not reflected | — |
Assessment: The main site's CORS policy is reasonably configured — it only reflects known subdomains and doesn't reflect arbitrary origins. However, Access-Control-Allow-Credentials: true with reflected origins means any compromised subdomain can make authenticated cross-origin requests.
⚠️ link.realwave.com — WILDCARD CORS WITH FULL ACCESS
| Header | Value |
|---|---|
Access-Control-Allow-Origin |
* (wildcard) |
Access-Control-Allow-Methods |
GET,HEAD,PUT,PATCH,POST,DELETE |
Access-Control-Allow-Headers |
Content-Type,Authorization |
Risk: This is a Go High Level platform limitation, not your server config. The wildcard CORS allows ANY website to make API requests to link.realwave.com. Since Authorization is in allowed headers, if tokens are ever passed via this subdomain, they could be stolen. Since this is GHL's infrastructure, you can't directly fix it, but be aware.
GHL Webhook — Wildcard CORS
https://services.leadconnectorhq.com/hooks/... also has Access-Control-Allow-Origin: *. This is GHL's choice.
5. Cookie/Session Analysis
| Finding | Detail |
|---|---|
| Session Mechanism | Firebase Auth (client-side tokens) + SignalR session tokens |
| Cookies Set | ❌ No cookies observed on initial page load |
| Token Storage | Tokens stored in browser (likely localStorage/sessionStorage via Firebase SDK) |
| SignalR Auth | Token-based via query parameter and headers |
Note: The Angular app uses Firebase for authentication. No traditional session cookies were observed — auth state is managed entirely client-side via Firebase SDK and passed to the ASP.NET backend via Bearer tokens. This is a modern approach but requires strict CSP to prevent token theft via XSS.
6. API/Endpoint Discovery
Backend API Endpoints (discovered from main.js)
All require authentication (return 401 without token):
| Endpoint | Auth Required | Notes |
|---|---|---|
/api/Academy/AgentLibrary |
✅ 401 | Agent library management |
/api/Academy/Lessons |
✅ 401 | Lesson management |
/api/Academy/Personas |
✅ 401 | AI persona management |
/api/Academy/Snapshots |
✅ 401 | Snapshot management |
/api/Academy/Workflows |
✅ 401 | Workflow management |
/api/admin/conversations |
✅ 401 | Admin conversations |
/api/admin/locations |
SPA catch-all | Angular handles route |
/api/admin/notifications |
✅ 401 | Admin notifications |
/api/audit-agent/projects |
✅ 401 | Audit agent projects |
/api/audit-analytics |
✅ 401 | Analytics |
/api/avatars/list |
✅ 401 | Avatar listing |
/api/CloseBot |
SPA catch-all | Angular handles route |
/api/kb/projects |
SPA catch-all | Knowledge base |
/api/marketing/media-library |
✅ 401 | Media library |
/api/marketing/projects |
✅ 401 | Marketing projects |
/api/Notification |
✅ 401 | Notifications |
/api/subscriptions/customers |
✅ 401 | Customer data |
/api/subscriptions/products |
✅ 401 | Product data |
/api/UserContent |
SPA catch-all | User content |
SignalR Hubs
| Hub | Path | Auth |
|---|---|---|
| ChatHub | /chatHub/negotiate?uid={id}&negotiateVersion=1 |
✅ 401 |
| UIHub | /uiHub/negotiate?uid={id}&negotiateVersion=1 |
✅ 401 |
Positive: All API endpoints properly return 401 without authentication. No unauthenticated data leaks.
SPA Catch-All Behavior
The Angular SPA's URL rewriting causes ALL paths to return 200 with the index.html content (63,342 bytes). This means:
/.git/HEAD→ 200 (but returns SPA HTML, not git data)/admin→ 200 (but returns SPA HTML)/server-status→ 200 (but returns SPA HTML)
This is NOT an actual exposure — it's just the IIS URL rewrite rule serving the Angular app for all routes.
7. Client-Side Analysis
Firebase Configuration Exposed in main.js
apiKey: "AIzaSyBdlwRi-iJImV0sdCE8gGxBpym4slvEgv8"
projectId: "gpteam-37d0c"
storageBucket: "gpteam-37d0c.appspot.com"
messagingSenderId: "625845939976"
appId: "1:625845939976:web:4ac6a8e7a5208fe1f786bd"
Risk Level: MEDIUM — Firebase API keys are designed to be public (client-side), but this information combined with the project ID could allow:
- Enumeration of Firebase Auth users (if sign-up is open)
- Abuse of Firebase services if Firestore/Storage security rules are misconfigured
- Cost amplification attacks if rate limiting is not configured
Recommendation: Ensure Firebase Security Rules are locked down, API key restrictions are set in Google Cloud Console (HTTP referrer restrictions), and Firebase App Check is enabled.
GHL Location ID Exposed
The Go High Level location ID 8jJylXIxcMrt2E2RW0hW appears in:
- Form widget URLs
- Webhook URLs
- JavaScript bundle
- API request patterns
This ID combined with the exposed webhook URL could allow:
- Spam submissions to the webhook
- Enumeration of GHL features
Webhook URL Exposed
https://services.leadconnectorhq.com/hooks/8jJylXIxcMrt2E2RW0hW/webhook-trigger/TojDcSAx1jRu84taBZ9s
This webhook is publicly accessible and responds to requests (returns error for invalid payloads). An attacker could:
- Send crafted payloads to trigger workflows
- Potentially spam the CRM with fake data
Console Logging in Production
The Angular app outputs verbose debug logging to the browser console:
[SignalRService] ctor: initializing connections with uid=-1 placeholders[SignalRService] Starting ChatHub to https://www.realwave.com/chatHub?uid=-1[SignalRService] ⚠️ NO SESSION TOKEN FOUND!Getting page title for route: /
This reveals:
- Internal service architecture (SignalR hub names and URLs)
- Authentication flow details
- User ID patterns (numeric, starting from -1 for unauthenticated)
Third-Party Script URLs in Bundle
The JS bundle contains references to numerous external services:
app.closebot.com— Closebot AIapp.gohighlevel.com— GHL platformcalendly.com/realwave— Schedulingcalendly.com/ofer-9ckg/consulting-meeting-clone— Personal calendly linktry.gamma.app/realwave— Gamma presentationsimg.youtube.com— YouTube embeds- Various API documentation URLs
8. Input Validation Results
Form Discovery
- Login form (Firebase-based):
/login - Sign-up form:
/sign-up - GHL embedded forms via
link.realwave.com/widget/form/ - Contact/lead capture forms embedded from GHL
Testing Limitations: Since authentication is Firebase-based (client-side SDK), traditional SQL injection is not applicable to the auth flow. The GHL forms are hosted on GHL infrastructure, outside the direct scope.
The Angular app uses client-side routing with no server-side rendering for public pages, limiting traditional injection vectors on the main domain.
9. Information Disclosure Findings
| Finding | Severity | Detail |
|---|---|---|
Server: Microsoft-IIS/10.0 |
MEDIUM | Reveals exact web server version |
X-Powered-By: ASP.NET |
LOW | Confirms backend technology |
| IIS default 404 error page | LOW | /web.config returns IIS-branded 404 instead of custom error |
| Console debug logging | MEDIUM | Reveals SignalR architecture, auth flow, user ID scheme |
| Firebase project details | MEDIUM | Full Firebase config in client JS |
| GHL Location ID | MEDIUM | 8jJylXIxcMrt2E2RW0hW exposed in multiple places |
| Webhook URL | MEDIUM | Publicly callable GHL webhook |
| Calendly personal link | LOW | Personal booking link exposed in JS |
| OpenAI domain verification | INFO | DNS TXT record confirms OpenAI API usage |
| Source maps | ✅ Not exposed | .js.map files return 404 |
.git directory |
✅ Not exposed | Returns SPA catch-all HTML |
.env file |
✅ Not exposed | Returns 404 |
10. Third-Party Risk Assessment
External Scripts Loaded
| Script | SRI? | Risk |
|---|---|---|
googletagmanager.com/gtag/js?id=G-70DG95YYYQ |
❌ No | MEDIUM — Google Analytics, no integrity check |
code.jquery.com/jquery-3.7.1.min.js |
✅ Yes | Low — SRI hash verified |
cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js |
✅ Yes | Low — SRI hash verified |
cdnjs.cloudflare.com/ajax/libs/bootstrap-markdown/2.10.0/js/bootstrap-markdown.min.js |
❌ No | MEDIUM — No integrity verification |
link.realwave.com/js/form_embed.js |
❌ No | Low — First-party (GHL) |
cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css |
❌ No | MEDIUM — No integrity verification |
cdnjs.cloudflare.com/ajax/libs/bootstrap-markdown/2.10.0/css/bootstrap-markdown.min.css |
❌ No | LOW — CSS, lower risk |
fonts.googleapis.com |
N/A | Low — Font loading |
fonts.gstatic.com |
N/A | Low — Font files |
5 out of 7 external scripts/stylesheets lack SRI (Subresource Integrity). If any CDN is compromised, malicious code could be injected into the site.
Monaco Editor
The site loads Monaco Editor assets from a local path (assets/monaco-editor/min/vs/...), which is good — self-hosted rather than CDN-loaded.
11. SSL/TLS Analysis
| Check | Result |
|---|---|
| Protocol | TLS 1.3 ✅ |
| Cipher | AEAD-CHACHA20-POLY1305-SHA256 ✅ |
| Certificate | Let's Encrypt R13 ✅ |
| Wildcard | *.realwave.com + realwave.com ✅ |
| Validity | Jan 21 – Apr 21, 2026 ✅ |
| HTTP → HTTPS | 302 redirect ✅ |
| HSTS | ❌ Not set |
| HSTS Preload | ❌ Not on preload list |
| Mixed Content | Not observed ✅ |
Non-www HTTPS Issue
https://realwave.com serves the site directly without redirecting to https://www.realwave.com. This means:
- Two separate origins can serve the same content
- Cookie scope issues if cookies are ever set
- SEO duplicate content issues
12. Severity-Rated Findings Table
| # | Finding | Severity | Category | CVSS-like |
|---|---|---|---|---|
| 1 | No Content-Security-Policy header | 🔴 HIGH | Headers | 7.1 |
| 2 | No Strict-Transport-Security (HSTS) | 🔴 HIGH | Headers/SSL | 7.0 |
| 3 | No X-Frame-Options / frame-ancestors CSP | 🔴 HIGH | Headers | 6.5 |
| 4 | Wildcard CORS on link.realwave.com | 🟡 MEDIUM | CORS | 5.8 |
| 5 | Missing SRI on 5 external scripts/styles | 🟡 MEDIUM | Third-Party | 5.5 |
| 6 | Firebase config exposed in client JS | 🟡 MEDIUM | Info Disclosure | 5.0 |
| 7 | Verbose console debug logging in production | 🟡 MEDIUM | Info Disclosure | 4.5 |
| 8 | GHL webhook URL publicly exposed | 🟡 MEDIUM | Info Disclosure | 4.5 |
| 9 | Server header reveals IIS 10.0 | 🟢 LOW | Headers | 3.5 |
| 10 | X-Powered-By: ASP.NET exposed | 🟢 LOW | Headers | 3.0 |
| 11 | No X-Content-Type-Options header | 🟢 LOW | Headers | 3.0 |
| 12 | No Referrer-Policy header | 🟢 LOW | Headers | 3.0 |
| 13 | No Permissions-Policy header | 🟢 LOW | Headers | 2.5 |
| 14 | IIS default error pages (info leak) | 🟢 LOW | Info Disclosure | 2.0 |
| 15 | No security.txt | 🟢 LOW | Best Practice | 1.0 |
| 16 | No sitemap.xml | ℹ️ INFO | SEO | 0.5 |
| 17 | Dual SPF records (potential conflict) | ℹ️ INFO | 1.0 | |
| 18 | Non-www HTTPS doesn't redirect to www | ℹ️ INFO | Config | 1.0 |
| 19 | GHL location ID exposed | ℹ️ INFO | Info Disclosure | 1.0 |
13. Recommendations (Priority Order)
🔴 HIGH PRIORITY — Implement Immediately
1. Add Security Headers (IIS web.config)
Add these headers to your IIS configuration:
<system.webServer>
<httpProtocol>
<customHeaders>
<!-- Remove server identification -->
<remove name="X-Powered-By" />
<remove name="Server" />
<!-- Security headers -->
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
<add name="Permissions-Policy" value="camera=(), microphone=(), geolocation=(), payment=()" />
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' https://www.googletagmanager.com https://code.jquery.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://link.realwave.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com 'unsafe-inline'; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data: https: blob:; connect-src 'self' wss: https:; frame-src https://link.realwave.com https://www.google.com/recaptcha/ https://www.youtube.com;" />
</customHeaders>
</httpProtocol>
<!-- Remove Server header -->
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
2. Enable HSTS and Submit to Preload List
After adding the HSTS header, submit to https://hstspreload.org/ for inclusion in browser preload lists.
3. Configure X-Frame-Options
Set to DENY (if site never needs framing) or SAMEORIGIN (if needed for internal iframes).
🟡 MEDIUM PRIORITY — Address Soon
4. Add SRI to All External Scripts
<!-- Add integrity attributes to all CDN scripts -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-markdown/2.10.0/js/bootstrap-markdown.min.js"
integrity="sha384-..." crossorigin="anonymous"></script>
Generate SRI hashes using: https://www.srihash.org/
5. Remove Console Debug Logging in Production
Strip or conditionally disable all console.log, console.error debug messages in the production Angular build. Use Angular's environment.production flag:
if (!environment.production) {
console.log('[SignalRService] ...');
}
6. Secure Firebase Configuration
- Enable Firebase App Check
- Restrict the API key in Google Cloud Console (HTTP referrer restrictions to
realwave.comand subdomains only) - Audit Firestore security rules
- Audit Firebase Storage security rules
7. Protect GHL Webhook
- Add authentication/secret validation to the webhook endpoint
- Or implement rate limiting on the GHL webhook
- Consider using a proxy that validates requests before forwarding to GHL
🟢 LOW PRIORITY — Best Practices
8. Remove Server Fingerprinting
Configure IIS to suppress the Server header or return a generic value.
9. Custom Error Pages
Replace default IIS 404/500 error pages with custom branded pages that don't reveal server technology.
10. Add security.txt
Create /.well-known/security.txt with contact information for security researchers.
11. Fix Non-www HTTPS Redirect
Configure https://realwave.com to 301 redirect to https://www.realwave.com for consistency.
12. Resolve Dual SPF Records
Having two SPF records (one for Outlook, one for Firebase) can cause email deliverability issues. Merge them into one:
"v=spf1 include:spf.protection.outlook.com include:_spf.firebasemail.com -all"
13. Add sitemap.xml
Create and submit a sitemap.xml for proper search engine indexing.
14. Positive Security Findings ✅
| Finding | Detail |
|---|---|
| ✅ All API endpoints require authentication | 401 returned without token |
| ✅ SignalR hubs require authentication | 401 for unauthenticated negotiate |
| ✅ TLS 1.3 with strong cipher | Modern, secure encryption |
| ✅ HTTP → HTTPS redirect | 302 redirect in place |
| ✅ Source maps not exposed | .js.map returns 404 |
| ✅ No .git/.env exposure | SPA catch-all, not real data |
| ✅ jQuery and Bootstrap have SRI | Integrity verified |
| ✅ Main domain CORS is reasonable | Only reflects known subdomains |
| ✅ No directory listing | IIS properly configured |
| ✅ Let's Encrypt auto-renewal | Certificate management automated |
| ✅ Firebase Auth (client-side) | Modern, secure auth approach |
| ✅ No SQL injection vectors on main domain | SPA architecture + Firebase auth |
| ✅ reCAPTCHA integration | Bot protection available |
15. Infrastructure Notes
- IP Address:
162.43.207.214— Directly exposed (no CDN/WAF) - Recommendation: Consider placing behind Cloudflare or similar CDN/WAF for:
- DDoS protection
- Bot mitigation
- Automatic security headers
- Origin IP hiding
- Edge caching
The lc.realwave.com subdomain already uses Cloudflare and has excellent security headers — extending this to the main domain would be a significant improvement.
Report generated: February 7, 2026 at 00:05 EST
All findings are based on external (black-box) testing without authentication.