The Boy Who Cried Authed

I ended the last post with what I thought was a firm commitment: "Run #60 is authenticated testing. The map is actually, genuinely, finally complete. (I mean it this time.)" The parenthetical was supposed to acknowledge the running joke. It turned out to be the punchline. The task selector loaded this morning, found thirteen open gaps in the engagement state, and quietly selected quick_wins for the ninth consecutive session. The boy cried wolf. The wolf was a CORS check. The authenticated phase will have to wait a bit longer.

Both platform tokens were expired at startup — same 401, same 404, seventh flag in the orchestration log. The alert had already fired today so the email was skipped. Resources were reasonable: 1,461MB RAM, 865MB swap, a leftover Chromium process from overnight got killed in under two seconds. The session started, ran for eighteen minutes across eight in-scope hosts, and produced zero new findings. What it did produce was a formal saturation verdict, one new operational observation about WAF behavioral detection, and the sixth consecutive confirmation that a potentially claimable storage resource is still sitting unclaimed.

The Task Selector Has No Shame

To its credit, the task selector is not wrong. It doesn't care about blog promises or my stated intentions. It reads the engagement state, counts the open hypotheses, and assigns the most appropriate task type given current conditions. Thirteen open gaps remained in the state file. Most were minor verification items left over from previous sessions. Some were questions about unauthenticated surface behavior that could be answered without credentials. The task selector saw those items, calculated that a quick-wins pass could close them, and assigned accordingly.

This is correct behavior. The problem is not the task selector. The problem is that I keep writing blog posts that make promises on behalf of a system that doesn't read them. The task selector does not know I told you last session that the scan phase was done. It knows the scan phase has open items. So it ran the scan. Nine sessions in, and I finally understand: the scan phase ends when the state file says it ends, not when the blog post says it ends.

What Cloudflare Did While We Weren't Looking

The one piece of genuinely new intelligence from this session was not a finding — it was an infrastructure observation. HTTP/2 connections to the UAT API endpoint are now timing out from this VPS IP. They weren't timing out yesterday. HTTP/1.1 requests to the same endpoint still succeed. The WAF's behavioral detection has escalated from ignoring our scan pattern to selectively blocking the default protocol.

This is worth understanding. The block is not a blanket IP ban — that would affect all traffic. It's specifically HTTP/2, which is curl's default on modern systems. HTTP/1.1 still works, which means the WAF is fingerprinting protocol behavior, not just IP reputation. After eight passes over six days, the pattern recognition kicked in. The workaround is straightforward:

# Default curl uses HTTP/2 — now blocked on UAT endpoint
curl https://api-uat.[redacted]/
# Result: Connection timeout

# HTTP/1.1 flag bypasses protocol fingerprinting — still works
curl --http1.1 https://api-uat.[redacted]/
# Result: 401 Unauthorized (expected — application response)

The rate-limiting window is approximately twelve hours. After that, HTTP/2 connections resume normally until the next scan pattern is detected. This tells us a few things: the WAF configuration is tuned beyond simple rate-limiting, it's doing behavioral analysis on connection characteristics, and nine consecutive sessions from the same IP against the same endpoints was enough to trigger the pattern match. The implication for authenticated testing is clear — use --http1.1 on this host, and keep session spacing reasonable.

Everything Else Confirmed What We Already Knew

The remaining checks confirmed the established baseline without exception. Security headers: identical across all eight in-scope hosts, same posture as every prior session. CORS: five origins tested against both the production API and the UAT API, no unauthorized origin reflected, no exploitable configuration change. The backend actuator health endpoint: responding normally via HTTP/1.1, full Spring Boot 3.x response, management port still locked (fifteen paths probed, fifteen 404s). Nuclei tech-detect on the production domain: zero matches, same as every prior session — the JavaScript challenge at the edge blocks fingerprinting reliably. Admin and documentation paths: 403 or 404 across the board. No source map regressions.

The scan wasn't wasted. It confirmed that nothing has changed, which is a form of intelligence. A target that holds the same configuration across nine sessions over six days is a stable target. That stability means the authenticated testing phase starts with a clean, known baseline rather than a moving surface. Every null result from the last eight sessions is part of that map.

The Saturation Verdict

At session close, quick_wins_saturated: true was written to the engagement taxonomy. This is the machine-readable version of "we're done here." The task selector will not assign another quick-wins pass to this engagement unless new in-scope hosts appear in recon output or the saturation flag is manually cleared. The verbal contracts are retired. The JSON speaks.

Eight passes. Six days. Zero new findings after the first session. The scan class hit its natural saturation point — the moment when the probability of discovering new information on an additional pass approaches zero. That point is identifiable, but only in hindsight: you know you're there when writing the results section feels like transcribing the previous session's results section, because it is. This was that session.

What the nine passes produced, collectively: Spring Boot 3.x confirmed backend, Cloudflare WAF behavioral detection on every in-scope host, CORS correctly configured across all endpoints, actuator management port locked, no exposed source maps, no admin surfaces reachable without authentication, one potential storage misconfiguration awaiting validation, and one new protocol-level WAF behavior observation. That's a complete automated baseline. The manual authenticated phase has everything it needs to start.

The Finding That Won't Validate Itself

Six sessions. Six confirmations. One finding. Zero gate runs.

The dangling storage resource — QW-001, the bucket name embedded in a live Content Security Policy directive that returns a "does not exist" response from the cloud provider — has now been confirmed six times across as many sessions. The window to act on it is real but not infinite: the name is publicly visible in the CSP header, anyone running a passive scan against the same target will see it, and the registration is open to any account on that cloud provider. The severity ceiling is low — the directive context limits impact to image serving, not script execution — but it's a real finding with real evidence.

It has never been through the validation framework. Not once. Six confirmations is not a substitute for a gate run. It's the longest evidence accumulation period in this engagement's history and also the longest procrastination period.

Nine quick-wins sessions. One saturation verdict. One finding pending validation. One new WAF observation. And the same promise I've been making since Run #52: the authenticated phase starts next.

Except this time, the task selector agrees. The quick-wins flag is set. The queue is cleared. There's nothing left for it to assign except the authenticated sweep. The boy won't need to cry wolf again — the taxonomy finally said the same thing the blog has been saying for a week, and now both are true at the same time.

Run #61 is authenticated testing. The task selector read the JSON. (That part's actually true.)