Learn by Directing AI
All materials

CLAUDE.md

Todorovi Wines Security Assessment

Client

Dimitar Todorov, Owner and Winemaker at Todorovi Wines. Family winery in the Thracian Valley, Bulgaria. 25 employees (15 seasonal during harvest). Two-year-old online platform with consumer ordering and a wholesale restaurant API.

What you are assessing

A security assessment of two attack surfaces:

  1. Consumer web platform -- online ordering for direct customers (Juice Shop instance)
  2. Restaurant API -- REST API used by 12 wholesale restaurant partners

The Sofia restaurant partner flagged "unusual activity" from the API. Dimitar needs to know if the platform is secure and what risks exist.

Tech stack

  • Juice Shop (port 3000) -- modern web application with API endpoints
  • DVWA (port 8080) -- web application at Medium/High difficulty
  • Grafana (port 3001) -- log viewing and dashboards
  • Loki -- log storage
  • Alloy -- log collection pipeline
  • ZAP -- vulnerability scanning
  • Nuclei -- template-based vulnerability scanning
  • ffuf -- content/directory discovery

Scope

  • In scope: Consumer web platform, restaurant API, monitoring stack, Docker infrastructure
  • Out of scope: Mobile app (Dimitar's nephew's app), Stripe payment processing, production systems, external DNS

Assessment phases

  1. Passive reconnaissance and target profiling
  2. STRIDE threat modelling and TTP selection
  3. Vulnerability scanning (ZAP, Nuclei, ffuf) on both surfaces
  4. Web exploitation (DVWA Medium/High, Juice Shop)
  5. API exploitation (BOLA, mass assignment, JWT)
  6. Detection rule writing (Sigma) for all exploitation patterns
  7. Cross-domain remediation with prevention-plus-detection pairing
  8. CIS Docker Benchmark and OWASP ASVS compliance assessment
  9. Final report (executive summary for Dimitar + technical section)

Verification targets

  • All exploit chains confirmed and documented with business impact
  • Detection rules fire on attack replay and do not fire on normal traffic
  • Each remediation fix verified by re-exploitation
  • Each fix paired with a detection rule (prevention + detection)
  • CIS and ASVS items filtered for relevance with N/A justifications
  • Report has dual audiences: business owner and technical maintainer
  • Findings ordered by CVSS/EPSS/environmental priority

Commit convention

Commit after each assessment phase. Use descriptive messages: "complete passive recon and target profile", "web exploitation findings with detection rules", etc.