Executive Summary

An external reconnaissance assessment of ampahealth.com was conducted using publicly available information only — no authentication was attempted, no exploitation was performed, and no patient or operational data was accessed. Nineteen findings were catalogued. One was rated Critical. The remainder are spread across configuration hardening and standard hygiene items.

The headline finding is a misconfiguration on the production data backend that allows a malicious website, visited by a logged-in AmpaHealth user, to read API responses on that user's behalf. In a healthcare context the response data is presumed sensitive, which is why this single finding is rated above all others.

Overall Posture

B
Overall Grade
Strong fundamentals, with one significant configuration gap.
TLS, DNSSEC on the primary domain, registrar hygiene, and back-end authentication enforcement are above baseline. The grade is held below A by a single Critical finding — a CORS misconfiguration on the production API that permits authenticated cross-origin data theft. Once that is corrected and standard near-term hardening (DMARC enforcement, HSTS on the API, missing security headers) is applied, the posture is appropriate for a healthcare SaaS at this stage of growth.
A
Network & TLS
B
DNS & Domain
B−
Identity & Auth
C
Email Security
D
API Security

What We Found

1
Critical
0
High
9
Medium
9
Low

Top Risks

Risk What it means Why it matters
C-1
Cross-origin data theft on production API		 The data backend is configured to trust requests from any website, while still letting them carry the user's logged-in session. If a logged-in clinician or patient visits a malicious page, that page can silently read data from the AmpaHealth backend on their behalf.
M-1
Backend domain expires in 2 days		 The domain that hosts the production API is registered through 2026-04-30. Standard registrar locks are in place, but auto-renewal has not been independently confirmed. If renewal lapses, the entire platform goes offline until the domain is recovered.
M-3 / M-4
Identity-provider exposure		 The Microsoft identity tenant accepts standard flows that confirm whether a given email address belongs to AmpaHealth and that can be used in targeted phishing. These are Microsoft default behaviors, not bugs. They can be tightened by Conditional Access policy without changing user experience.
M-7
Email spoofing not enforced		 Mail authentication policy is set to "monitor only," so messages that fail validation are still delivered. Lookalike senders impersonating AmpaHealth staff or vendors land in inboxes without being rejected.

Recommended Actions

Immediate Action Required

Fix the API cross-origin policy
Replace the reflective allow-origin rule on the production API with an explicit allowlist of AmpaHealth's own domains. Verifiable in minutes; deployable as a single config change.

Confirm backend domain auto-renewal
Verify ampa-tms.com is on auto-renew at the registrar and the billing card is current. Consider extending registration by several years.

Near-Term Hardening

Tighten email enforcement
Move DMARC from p=none to p=quarantine after one reporting cycle.

Block legacy auth flows
Restrict Azure AD device-code and password-grant flows via Conditional Access for non-managed devices.

Add basic security headers
Set HSTS on the API and add the four standard hardening headers to the marketing site.

Ongoing Hygiene

Sign backend DNS
Enable DNSSEC on ampa-tms.com in Route53 and add the DS at the registrar.

Move dev environment behind access
Place the public dev surface behind Cloudflare Access or basic authentication.

Reduce CT-log disclosure
Consolidate per-environment certificates to a wildcard so internal subdomain names stop appearing in public certificate-transparency logs.

Technical Overview

The recon traversed five phases — subdomain enumeration, host classification, targeted parallel probing, output analysis, and chained probing. Phase 3 was where the highest-value findings emerged: only six subdomains surfaced from public certificate-transparency and passive-DNS sources, but extraction of the AMPA web-app's JavaScript bundle revealed the production backend (ampa-tms.com), the AMPA SaaS app surface (auth/login/sso/idp/accounts/clinic.ampahealth.com), and the wildcard-CORS misconfiguration on the API.

Findings by Severity

1
Critical
0
High
9
Medium
9
Low
Reflective CORS with credentials on production API
prod.api.ampa-tms.com and api.ampa-tms.com echo the request Origin header back as Access-Control-Allow-Origin and set Access-Control-Allow-Credentials: true. Any malicious origin — including null from a sandboxed iframe — can issue authenticated cross-origin requests and read responses.

Assessed Strengths

For balance, several configurations are correct or above baseline:

A+
TLS — Marketing Site
(testssl, score 93/100)
A+
TLS — Production API
(testssl, score 93/100)
DNSSEC
Signed delegation on ampahealth.com
Locked
Registrar locks on both domains
  • Authentication enforced where it matters. All paths on prod.api.ampa-tms.com require auth; seven tenant-header bypass variations were tested and all rejected.
  • S3 asset buckets are correctly locked. The four CloudFront-fronted asset distributions return 403 from S3 on directory listing.
  • Wildcard cert on the backend domain. ampa-tms.com uses a single wildcard certificate, so internal subdomain names are not broadcast through Certificate Transparency logs.
  • Azure CLI client ID is not consented in the tenant. The well-known Azure CLI application (04b07795…) is rejected, narrowing the device-code phishing surface.
  • No data in public breach sources. LeakIX, IntelX, and pastebin dump searches were all clean.
  • Empty public GitHub org. github.com/ampahealth exists but has zero public repositories — no source-code or secret leakage was discoverable.
  • HSTS enforced on the marketing site. strict-transport-security: max-age=31536000. (The production API is the gap — flagged as M-6.)
  • No services on Shodan beyond the expected CDN. Direct origin port scans returned only the Cloudflare proxy ports.

Attack Surface Discovered

9
Hosts Classified
Cloudflare
+ AWS
Primary Hosting
nginx 1.18
EC2 us-west-1
Backend
Azure AD
+ Google
Identity

Top Risks Requiring Action

Immediate Action Required
  • C-1: Reflective CORS with credentials on production API — allows authenticated cross-origin data theft from any malicious origin.
  • M-1: Backend domain ampa-tms.com expires 2026-04-30 — confirm auto-renewal is active.
Near-Term Hardening
  • M-3: Azure AD username enumeration via password grant.
  • M-4: Azure AD device-code + implicit flow enabled (defaults).
  • M-5: nginx 1.18.0 version banner exposed on API.
  • M-6: HSTS not enforced on production API.
  • M-7: DMARC at p=none; SPF softfail; missing MTA-STS / BIMI / TLS-RPT.
  • M-9: Marketing site missing CSP / X-Frame-Options / X-Content-Type-Options / Referrer-Policy / Permissions-Policy.
Ongoing Hardening
  • M-2: ampa-tms.com zone unsigned — enable DNSSEC.
  • M-8: CT-log internal-subdomain leakage on dev/stag/demo.assets.
  • L-9: dev.ampa-tms.com publicly reachable — place behind access gate.

Scope & Methodology

This assessment used passive and active external reconnaissance — no authentication was attempted, no exploitation was performed, and no data was accessed beyond publicly available information. Active probes were limited to standard HTTP requests against published endpoints (OIDC discovery, CORS preflight, version banners, TLS protocol negotiation). All authenticated routes were declined — only their access-control posture was characterised.

Phase 1
Subdomain & DNS
  • subfinder & amass passive enumeration
  • certificate-transparency log query
  • DNS & WHOIS analysis
Phase 2
Host Classification
  • HTTP fingerprint & canary probing
  • SPA / API / Static / Redirect typing
  • Catch-all detection
Phase 3
Targeted Probing
  • SPA bundle harvest (URLs, keys, secrets)
  • API endpoint discovery
  • Source-map exposure check
Phase 4
Email, Auth, TLS
  • SPF, DKIM, DMARC, MTA-STS scoring
  • OIDC discovery + device-code probing
  • testssl + sslscan TLS audit

Attack Surface Map

9 hosts classified across Cloudflare, Webflow, AWS S3+CloudFront, and AWS EC2 in us-west-1.

Target Overview

FieldValue
Primary Domainampahealth.com (registrar Squarespace, locks set, DNSSEC signed, expires 2027-03-23)
Backend Domainampa-tms.com (registrar Squarespace, locks set, DNSSEC unsigned, expires 2026-04-30)
Marketing HostingCloudflare proxy → Webflow CDN
App HostingAWS S3 + CloudFront (d2esnvtj4tyfub.cloudfront.net)
Backend HostingAWS EC2 us-west-1 (54.241.155.20, 184.169.128.145) — nginx 1.18.0 (Ubuntu)
IdentityAzure AD / Entra ID tenant ed69a878-3a7e-4d4b-9b34-8bae09a8170a ("Ampa")
EmailGoogle Workspace MX + HubSpot (portal 47502801) + Amazon SES + Brevo (DMARC reporting)
TelemetrySentry (org 4508713855811584) + AWS CloudWatch RUM (us-west-1)
Bot mitigationCloudflare Turnstile on Webflow forms
GitHub Orggithub.com/ampahealth — created 2023-02-03, 0 public repos (empty)

Host Classification

HostTypePlatformNotes
ampahealth.comRedirectCloudflare301 → www
www.ampahealth.comStaticCloudflare → WebflowMarketing site, 12 JS bundles, HubSpot forms, Cloudflare Turnstile
auth/login/sso/idp/accounts.ampahealth.comSPACloudFront → S3AMPA SaaS app aliases — React/Vite PWA, single 2.1 MB bundle
clinic.ampahealth.comSPACloudFront → S3Same React app, clinic-side UI
{assets,demo.assets,dev.assets,stag.assets}.ampahealth.comStaticCloudFront → S34 asset buckets — all locked (S3 returns 403 on directory listing)
prod.api.ampa-tms.comAPInginx 1.18.0 / EC2 us-west-1Tenant-gated, all paths require auth, RSA 2048 cert from ACM
api.ampa-tms.comAPInginx 1.18.0 / EC2 us-west-1/health publicly accessible (no auth required)
dev.ampa-tms.comSPACloudFront → S3 (separate distribution)Public dev environment, no access gate

Harvest — Exposed Identifiers & Endpoints

CategoryItemSourceRisk
Backend domainampa-tms.comJS bundle of auth.ampahealth.comProduction API host; expires in 2 days
API hostprod.api.ampa-tms.com v1.0 + v1.1JS bundleTenant-gated; reflective CORS misconfig (C-1)
API hostapi.ampa-tms.comDNS enumerationOpen /health endpoint
Dev environmentdev.ampa-tms.comDNS enumerationPublic CloudFront SPA shell
Azure AD tenanted69a878-3a7e-4d4b-9b34-8bae09a8170a ("Ampa")OIDC discoveryPhishing & device-code vectors
Microsoft client IDs accepting device codeOffice, Teams (Azure CLI rejected)Active probeDefault Microsoft behaviour, phishing precondition
Sentry DSNOrg 4508713855811584 / project 4508719744286720JS bundlePublic-by-design (low)
HubSpot portal47502801JS bundle + SPFPublic-by-design
AWS regionus-west-1 (CloudWatch RUM, EC2 IPs)JS bundle + DNSInformational
M365 verificationTXT MS=ms13381777DNSConfirms M365 tenant exists
GitHub orggithub.com/ampahealthGitHub API0 public repos — empty
19
Findings
1Critical
0High
9Medium
9Low
Severity:
Severity ID Target Finding Impact

Category Breakdown