Pentester: xzens
Target Domains: checkproof.com, admin.checkproof.com, api.checkproof.com, app.checkproof.com
Date: 25 February 2026 to 7 March 2026
This report documents a series of security tests (Vulnerability Assessment) conducted on the digital infrastructure of CheckProof, an industrial asset management platform. The investigation included metadata analysis, server stability testing, and third-party library auditing.
Several critical vulnerabilities were identified which, when combined as chained vulnerabilities, could lead to sensitive data exposure and administrative account takeover (Account Takeover).
The first phase involved passive reconnaissance techniques against the source code of the administrative application's front-end.
The application uses the Ember.js framework, which by default stores configuration inside <meta> tags. It was found that the developers had included sensitive credentials in this public configuration.
https://admin.checkproof.com/dashboard, request via Burpsuite
2Y4FjXzWh************************7XL (CRITICAL)