DEV Community

0trust0day
0trust0day

Posted on

Resillion — when those who preach cybersecurity forget to practice it

How those who proclaim themselves the foremost guardians and gurus of cybersecurity consistently fail to uphold even the most basic principles of information security. They neglect routine system updates, ignore fundamental hygiene, and seem unaware of elementary technical concepts like CSRF protection. Enter the latest in the long line of self-declared cybersecurity experts: Resillion.

Resillion — vulnerabilities
Why This Matters
In an era where cyberattacks, data leaks, and privacy violations are a near-daily occurrence, organizations offering cybersecurity services are expected to operate under the strictest discipline. They are not merely vendors; they are entrusted with safeguarding data, processes, and compliance across entire industries. Therefore, it is not only ironic but deeply concerning when a company like Resillion, branding itself as a cybersecurity powerhouse, fails to apply the most basic protective measures to its own infrastructure.

A passive and active vulnerability scan conducted on https://www.resillion.com/ reveals an array of issues — many of which would be unacceptable for any commercial site, let alone one purporting to lead the industry in digital assurance, red-teaming, and secure infrastructure. Below is a detailed breakdown of technical issues discovered, accompanied by a legal analysis through the lens of GDPR and the NIS Directive (as amended by NIS2), as well as potential financial and reputational liabilities.

  1. Absence of CSRF Protection (ZAP Alert 10202) Technical Summary: The site contains multiple HTML forms (wpcf7-f252-o1, wpcf7-f391-o2) with no anti-CSRF tokens or mechanisms present. No sign of standard field names such as csrf_token, __RequestVerificationToken, or OWASP_CSRFTOKEN was detected.

Why This Is Dangerous:
CSRF (Cross-Site Request Forgery) allows attackers to trick users into unknowingly submitting requests on their behalf. For instance, changing contact preferences, submitting sensitive queries, or activating subscription forms — all without user awareness. If combined with other session-related vulnerabilities, it could lead to identity takeover or unauthorized access.

NIS Directive Violation:
Article 14 of NIS2 mandates appropriate technical and organizational measures to manage security risks. Leaving critical forms unprotected is a textbook example of what the Directive seeks to avoid: exposure through elementary negligence.

GDPR Violation:
CSRF attacks can result in unauthorized processing of personal data — violating Article 5(1)(a) (lawfulness, fairness) and Article 32 (security of processing). If malicious submissions are possible (e.g. forged opt-ins or service abuse), Articles 33 and 34 (breach notification) may also be triggered.

Potential Fine:
Up to €10 million or 2% of global annual revenue, depending on severity and intent.

  1. Missing Content Security Policy (CSP) (ZAP Alert 10038) Technical Summary: None of the HTTP responses from Resillion’s site include a Content-Security-Policy header, which is critical for modern XSS protection.

Why This Is Dangerous:
CSP allows domain owners to restrict what scripts, styles, or resources can run in the user’s browser. Without it, the site is wide open to script injection — especially problematic in WordPress environments, where vulnerable plugins or themes can be an entry point.

NIS Directive Violation:
Again, this falls under Article 14, with special emphasis on “preventing and minimizing the impact of incidents.” CSP is no longer optional — it is a baseline defense.

GDPR Violation:
Malicious scripts injected via XSS can scrape user input, extract cookies, hijack sessions, or exfiltrate personal data. These outcomes directly violate Articles 25 (Data protection by design) and 32 (Integrity and confidentiality).

Potential Fine:
GDPR Article 83(4) and (5) — fines up to €10–20 million depending on user data volume and breach context.

  1. No Subresource Integrity (SRI) (ZAP Alert 90003) Technical Summary: Over 40 linked resources (scripts, stylesheets) from domains like Google Fonts, CDNJS, Cloudflare, and wpmucdn are embedded without an integrity attribute.

Why This Is Dangerous:
Without SRI, there is no guarantee that the third-party file being loaded is untampered. If a CDN is compromised, malicious code can silently execute in users’ browsers — fully trusted by the application.

NIS Directive Violation:
This constitutes a failure in supply chain risk management, something NIS2 explicitly addresses. A service provider should audit and safeguard third-party inclusions.

GDPR Violation:
If a compromised library includes malicious tracking, keylogging, or browser fingerprinting, the resulting data flow is unauthorized and outside of the informed consent scope — a violation of Articles 6, 7, 13, and 32.

Potential Fine:
Worst-case scenario: mass client-side data compromise — up to €20 million or 4% of revenue.

  1. Unsafe Cross-Domain Script Inclusion (ZAP Alert 10017) Technical Summary: External scripts from jsdelivr.net, cdnjs.cloudflare.com, and cookieyes.com are included without sandboxing, SRI, or isolation.

Why This Is Dangerous:
Third-party JavaScript has near-total access to the DOM. If any of these domains are hijacked or poisoned through cache poisoning or CDN compromise, malicious payloads could affect every visitor.

NIS Directive Violation:
Violation of supply chain security provisions, especially regarding shared platforms or cloud services.

GDPR Violation:
Third-party JS can load tracking pixels, collect user input, or inject behavior-modifying code — triggering violations of Articles 5(1)(b) (purpose limitation), 13 (transparency), and 25 (privacy by design).

Potential Fine:
€10–15 million range, depending on whether DPIA was conducted or third-party consent is properly managed.

  1. Missing Strict-Transport-Security (HSTS) Header (ZAP Alert 10035) Technical Summary: The server does not send the Strict-Transport-Security header, leaving room for downgrade attacks.

Why This Is Dangerous:
Without HSTS, a man-in-the-middle attacker can attempt to trick users into downgrading from HTTPS to HTTP, gaining visibility into session cookies and transmitted data.

NIS Directive Violation:
Non-enforcement of secure protocols undermines availability and confidentiality, both NIS2 cornerstones.

GDPR Violation:
If an attacker exploits this to capture personally identifiable information (PII), that qualifies as a reportable breach under Articles 32–34.

Potential Fine:
Up to €10 million or 2% of turnover, depending on exploitability and user harm.

Summary: Legal Risk Table
VulnerabilityNIS2 BreachGDPR BreachFine EstimateNo CSRF ProtectionArt. 14 — missing safeguards for state changesArt. 25, 32 — unlawful data manipulation€10M / 2% turnoverMissing CSPArt. 14 — exposure to browser-level threatsArt. 32 — script injection leading to unauthorized processing€10M / 2% turnoverNo Subresource IntegrityArt. 14 — supply chain neglectArt. 25, 32 — indirect data breach risk via third-party code€20M / 4% turnoverUnsafe External ScriptsArt. 14 — attack surface expansionArt. 6, 13, 25 — consent and profiling issues€10–15M rangeNo HSTSArt. 14 — protocol downgrade riskArt. 32, 34 — exposure of personal data in transit€10M / 2% turnover

And finally, it took me just 10 minutes of my morning to uncover all of this
And to the company’s leadership — if you genuinely want real cybersecurity professionals rather than bureaucrats stamping “approved” on checklists, then you’d better find €200,000–300,000 per year to hire them. Because with what you’re currently offering, you’ll attract all kinds of people — except those who actually understand the industry.

Resillion’s public messaging paints it as an elite digital security firm. Yet this brief analysis — performed with free, open-source tools like WPScan and ZAP — reveals fundamental oversights that no seasoned security team should miss.

Their public-facing website is demonstrably unprotected against common and well-documented attack vectors: CSRF, XSS, supply chain JS injection, and protocol downgrade. Critical headers are missing. External resources are unsanitized. Even form-level protections — often configured by default — are absent.

So the question writes itself: how can a company like Resillion credibly offer cybersecurity services to clients, if it cannot even perform a basic fast check or monitoring of its own infrastructure?

(And yes, this question is rhetorical.)

Top comments (0)