# SCAN Briefing: humand-web — 2026-02-13

## Target Profile
- **Repo**: https://github.com/HumandDev/humand-web (private)
- **Clone**: ~/Code/humand/humand-web
- **Platform**: internal review (not bug bounty)
- **Stack**: React 18 + TypeScript + Vite + MUI + Axios + Socket.IO
- **Auth**: JWT (access + refresh tokens), SSO (Azure AD, Okta, Google), OTP, SAML/IDP
- **Files**: 2,564 .ts/.tsx source files
- **Features**: Feed, chat, groups, forms, documents, SCORM courses, marketplace, performance reviews, time tracking, video calls, employee lifecycle, service management
- **Mobile bridge**: React Native WebView via postMessage + URL token passing

## Scan Method
Manual code review focused on: auth flows, token handling, HTML rendering, secrets, access control, third-party integrations.

---

## Findings Summary

| # | ID | Severity | Confidence | Title | Status |
|---|-----|----------|------------|-------|--------|
| 1 | 20 | **HIGH** | high | Hardcoded SCORM Cloud API credentials | triaged |
| 2 | 21 | **HIGH** | high | Refresh tokens in URL path params | triaged |
| 3 | 22 | MEDIUM | high | Access tokens in URL path params | triaged |
| 4 | 23 | MEDIUM | high | postMessage handler—no origin check | triaged |
| 5 | 24 | **HIGH** | medium | Stored XSS via dangerouslySetInnerHTML (8 sinks) | triaged |
| 6 | 25 | MEDIUM | high | EncryptStorage key in bundle | triaged |
| 7 | 26 | MEDIUM | medium | document.domain relaxation | triaged |

---

## Finding Details

### F1 — Hardcoded SCORM Cloud API Credentials (ID 20)
**Severity**: HIGH | **Confidence**: HIGH | **CWE-798**

**Location**: `src/config/api.ts:98-104`

```typescript
export const scormApi = axios.create({
  baseURL: 'https://cloud.scorm.com/api/v2',
  headers: {
    Authorization:
      'Basic NjU3TjRJUllDVDpnVmFSWTJEUExDZ215SUIzeVA2a2tDUmpZcjE4aFJzOUVxMkx2cVdS',
  },
});
```

Decoded: `657N4IRYCT:gVaRY2DPLCgmyIB3yP6kkCRjYr18hRs9Eq2LvqWR`

**Impact**: Anyone who inspects the frontend bundle can extract these credentials and call the SCORM Cloud API v2 directly — reading courses, registrations, learner data; potentially modifying training content.

**Fix**: Move to backend. Frontend should call your own API which proxies to SCORM Cloud with server-side credentials.

---

### F2 — Refresh Tokens Exposed in URL Path (ID 21)
**Severity**: HIGH | **Confidence**: HIGH | **CWE-598**

**Locations**:
- `src/routes.tsx:2505` — `/documents-lacomer-mobile/:refreshToken`
- `src/routes.tsx:2514` — `/requests-banbajio-mobile/:refreshToken`

**Impact**: Refresh tokens are long-lived. They leak via:
- Browser history
- Referer headers to third-party resources
- Server/proxy access logs
- Analytics (Amplitude, Sentry, Clarity are all configured)
- Shoulder surfing

A leaked refresh token = full account takeover until revoked.

**Fix**: Use postMessage or a short-lived one-time code exchanged for tokens via a backend endpoint. Never pass tokens in URLs.

---

### F3 — Access Tokens Exposed in URL Path (ID 22)
**Severity**: MEDIUM | **Confidence**: HIGH | **CWE-598**

**Locations**:
- `src/routes.tsx:1298` — `/events-nemak-mobile/:accessToken`
- `src/routes.tsx:2476` — `/org-chart-mobile/:accessToken/:id`
- `src/routes.tsx:2485` — `/scorm-courses-mobile/:accessToken`
- `src/routes.tsx:2494` — `/recognitions-nemak-mobile/:accessToken`

Additionally, `src/pages/dashboard/scorm/Folders.tsx:64-65` stores the URL token directly to encryptStorage as the active session:
```typescript
if (accessToken && isMobile) {
  encryptStorage.setItem('accessToken', accessToken);
}
```

Same leak vectors as F2 but with shorter-lived tokens.

---

### F4 — postMessage Handler Without Origin Validation (ID 23)
**Severity**: MEDIUM | **Confidence**: HIGH | **CWE-346**

**Location**: `src/hooks/useMobileToken.ts:6-12`

```typescript
const handleMessage = event => {
  if (event.data.type === 'humand') {
    encryptStorage.setItem('accessToken', event.data.token);
  }
};
window.addEventListener('message', handleMessage);
```

No `event.origin` check. Any page that can get a reference to this window (iframe, window.open) can inject/overwrite the stored access token.

**Impact**: Session fixation. Attacker sends `{type: "humand", token: "attacker-jwt"}` → victim's session is hijacked.

**Fix**: Add strict origin validation: `if (event.origin !== expectedOrigin) return;`

---

### F5 — Stored XSS via dangerouslySetInnerHTML (ID 24)
**Severity**: HIGH | **Confidence**: MEDIUM | **CWE-79**

8 components render HTML from server/user data via `dangerouslySetInnerHTML` with **no sanitization** (no DOMPurify, no sanitize-html):

| File | Line | Source of HTML |
|------|------|----------------|
| `src/components/HTMLBody.tsx` | 67 | `body` prop (posts, news articles) |
| `src/pages/dashboard/tickets/components/FAQDialog.tsx` | 58 | `body` prop (FAQ content) |
| `src/components/text/ShowMoreText.tsx` | 93 | `text` prop when `isHtmlText=true` |
| `src/pages/dashboard/performance/components/RichText.tsx` | 38-39 | `text` prop (performance review text) |
| `src/pages/dashboard/libraries/components/LibrarySearchItem.tsx` | 78-80, 122-125 | `library.highlights.title`, `library.highlights.textContent` |
| `src/pages/dashboard/banBajio/useLibraryInfoDrawer.tsx` | 22 | `library.body` |
| `src/pages/dashboard/banBajio/LibraryFullScreen.tsx` | 41 | `library.body` |
| `src/components/Highlighter.tsx` | 83-84 | `transformTagInStrongElement(body, taggedUsers)` |

The DOMParser usage in HTMLBody.tsx and FAQDialog.tsx is **not sanitization** — it only modifies anchor attributes but passes through `<script>`, `<img onerror=...>`, `<svg onload=...>`, etc.

**Confidence is MEDIUM** because exploitability depends on whether the backend sanitizes HTML before storage. If backend stores raw HTML → this is critical. If backend strips dangerous tags → these sinks are safe. The frontend provides **zero defense in depth**.

**Impact if exploitable**: Session hijacking (extract JWT from encryptStorage using the known encryption key from F6), account takeover, data exfiltration, org-wide worm.

**Fix**: Add DOMPurify.sanitize() before every `dangerouslySetInnerHTML` call. Defense in depth — never trust backend sanitization alone.

---

### F6 — EncryptStorage Key Exposed (ID 25)
**Severity**: MEDIUM | **Confidence**: HIGH | **CWE-321**

**Locations**:
- `.env:27` — `VITE_ENCRYPT_STORAGE=HUMAND_DEV__Zrhcx23593uw3cF3soPMAIzaSyBBwSakYwg2ZgayLj8jQMTcCr`
- `.env.production:27` — `VITE_ENCRYPT_STORAGE=HUMAND_PRD__Zrhcx23593uw3cF3soPMAIzaSyBBwSakYwg2ZgayLj8jQMTcCr`

Since all `VITE_` prefixed variables are embedded in the compiled JS bundle, the encryption key is public. Any XSS or extension can use it to decrypt localStorage entries (accessToken, refreshToken, sessionId).

**Impact**: Renders the encrypt-storage wrapper useless. Combined with F5, XSS can trivially extract plaintext tokens.

**Fix**: Accept that client-side "encryption" of localStorage provides no real security against XSS. Focus on preventing XSS (F5) and use HttpOnly cookies for tokens where possible.

---

### F7 — document.domain Relaxation (ID 26)
**Severity**: MEDIUM | **Confidence**: MEDIUM | **CWE-284**

**Location**: `src/pages/dashboard/documents/LaComerDocuments.tsx:72-73`

```typescript
script.innerHTML =
  'try {document.domain = "lacomer.com.mx"; document = "lacomer.com.mx"} catch (ex) {}';
```

Sets `document.domain` to a parent domain, relaxing Same-Origin Policy so any `*.lacomer.com.mx` subdomain can access the Humand app's DOM.

**Impact**: Any XSS on any lacomer.com.mx subdomain could pivot to access Humand tokens and user data.

**Fix**: Remove document.domain usage. Use postMessage for cross-origin communication with the LaComer iframe instead.

---

## Additional Observations (Low/Info)

1. **Production secrets in committed .env files**: Firebase keys, Sentry DSN, Amplitude API key, Clarity ID, GetStream key, Giphy key, Okta/Azure AD client IDs all committed. While most frontend API keys are designed to be public, the SCORM credentials (F1) are not.

2. **No Content-Security-Policy visible in frontend config**: No CSP meta tag or headers configured in index.html or vite config. A strict CSP would mitigate XSS findings significantly.

3. **Performance review external route uses GuestGuard**: `performance/:id/external` allows unauthenticated access. If IDs are sequential/guessable, this could be an IDOR concern (needs backend investigation).

---

## Decision Matrix Application

| Finding | Confidence | Severity | Action |
|---------|-----------|----------|--------|
| F1 (SCORM creds) | high | high | → **fix immediately** |
| F2 (refresh in URL) | high | high | → **fix immediately** |
| F3 (access in URL) | high | medium | → **fix** |
| F4 (postMessage) | high | medium | → **fix** |
| F5 (XSS sinks) | medium | high | → **investigate backend** then fix |
| F6 (encrypt key) | high | medium | → **accept risk or redesign** |
| F7 (document.domain) | medium | medium | → log, fix when touching that code |