| Auth Method | REST APIadmin.../restapi/streamline-x/ | Legacy Pagesadmin.../*.html (Cookie) | Frontdesk Pagesfrontdesk.../*.html | XML/JSON APIweb.../api/json (Token) |
|---|---|---|---|---|
| Session-Based Authentication | ||||
| JWT Bearer + Streamlinex: 1 (SU or Admin) | 200 | 302 | 302 | E0010 |
| Streamline Cookie (SU/Admin — via JWT chain) SL-API-005 | 401 | 200 | 302 | E0010 |
| Front Desk Cookie (separate user pool) | 401 | 302 | 200 | E0010 |
| Static Token Authentication (No Session Required) | ||||
| SLAPP XML API Token (tk7227) | 401 | N/A | N/A | 200 |
| Streamsign XML API Token (tk8766 — perpetual) | 401 | N/A | N/A | 200 |
| REST API Endpoint | SU JWTid=994224 | Admin JWTid=994223 | FD Cookiefrontdesk-only account | XML Tokensstatic tokens |
|---|---|---|---|---|
| Core Data Endpoints — requires Streamlinex: 1 header (SL-API-003) | ||||
| /restapi/streamline-x/units | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/properties | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/guests | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/accounting | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/processors | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/companies/taxes | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/companies/addons | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/companies/mfa | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/integrations | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/smartbook | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/lead_management | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/charts | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/reports | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/geo/countries | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/geo/states | 200 | 200 | 401 | N/A |
| Sensitive Endpoints | ||||
| /restapi/streamline-x/app/legacy_variables (Pusher, RingCentral, CKEditor, auth hashes) SL-API-004 | 200 | 200 | 401 | N/A |
| /restapi/streamline-x/email_system/accounts (email, SMS, Airbnb) SL-API-007 | 200 | Partial | 401 | N/A |
| /restapi/streamline-x/multipayment/gateway_settings | 500 | 500 | 401 | N/A |
| /restapi/streamline-x/processors/login (JWT issuance) | POST | POST | N/A | N/A |
| Legacy Page (server-rendered PHP on admin.streamlinevrs.com) | SU Cookievia JWT chain (SL-API-005) | Admin Cookievia JWT chain (SL-API-005) | FD Cookiefrontdesk subdomain only |
|---|---|---|---|
| Token Management | |||
| general_xml_api_tokens2_tokens.html (token listing) SL-API-006 | 200 | Body 401 | 302 |
| edit_xml_api_tokens2_token.html?id=7227 (plaintext token!) SL-API-008 | 200 | 200 | 302 |
| xajax_common.html — ajax_reveal_masked_token SL-API-008 | 200 | Empty | 302 |
| general_xml_api_help.html (API docs) | Body 401 | Body 401 | 302 |
| Token Configuration (Cross-Tenant Data) | |||
| edit_xml_api_tokens2_template.html?id=2842 (100s of companies) SL-API-010 | 200 | 200 | 302 |
| edit_xml_api_tokens2_group.html?id=37 (100+ companies) SL-API-010 | 200 | 200 | 302 |
| Application Pages | |||
| pmt_frontdesk.html (main frame) | 200 | 200 | 302 |
| menu_index.html (main menu) | 200 | 200 | 302 |
| XML/JSON API Method POST web.streamlinevrs.com/api/json — no session required | SLAPP Tokentk7227 — expires 04/12/26 | Streamsign Tokentk8766 — perpetual | Type |
|---|---|---|---|
| SLAPP Scope — Property Discovery + Booking Creation | |||
| GetPropertyList (85 props, WiFi, GPS, addresses) SL-API-009 | 200 | E0014 | Read |
| GetPropertyInfo | 200 | E0014 | Read |
| GetPropertyRates | 200 | E0014 | Read |
| GetCompanyInfo | 200 | E0014 | Read |
| MakeReservation SL-API-009 | Write | E0014 | Write |
| CancelReservation SL-API-009 | Write | E0014 | Write |
| UpdateWorkOrderAssignedMaintenanceOperator | Write | E0014 | Write |
| UpdateWorkOrderAssignedVendor | Write | E0014 | Write |
| Streamsign Scope — Post-Booking Operations (Perpetual Token) | |||
| GetReservationInfo | E0014 | 200 | Read |
| GetReservations | E0014 | 200 | Read |
| GetReservationPrice | E0014 | 200 | Read |
| GetPaymentAccount (guest payment data) | E0014 | 200 | Read |
| GetPropertyInfoWordPress | E0014 | 200 | Read |
| GetPricingMatrixStreamsign | E0014 | 200 | Read |
| GetMobileVariables | E0014 | 200 | Read |
| GetCountriesList (270 countries) | E0014 | 200 | Read |
| GetStatesList | E0014 | 200 | Read |
| GetAsignatureAwayDocumentContent | E0014 | 200 | Read |
| ModifyReservation | E0014 | Write | Write |
| GuestAddPaymentAccount (add payment methods) | E0014 | Write | Write |
| InviteAdditionalGuestsToReservation | E0014 | Write | Write |
| StreamSignCreateContract (e-signature) | E0014 | Write | Write |
| Action | Super UserJWT + Cookie | AdminJWT + Cookie | Front DeskCookie only (separate pool) | SLAPP Tokenstatic, 30-day | Streamsign Tokenstatic, perpetual |
|---|---|---|---|---|---|
| Authentication | |||||
| Login mechanism | SPA + MFA | SPA + MFA | PHP + MFA | None | None |
| Obtains JWT | Yes | Yes | Impossible | N/A | N/A |
| JWT stored in | localStorage | localStorage | N/A | N/A | N/A |
| REST API Access (56+ Endpoints) | |||||
| REST API data endpoints | Full | Full | Blocked | Blocked | Blocked |
| Third-party credentials (Pusher, RingCentral, CKEditor) SL-API-004 | Full | Full | Blocked | Blocked | Blocked |
| Email / SMS / Airbnb accounts SL-API-007 | Full | Partial | Blocked | Blocked | Blocked |
| Legacy Page Access (via JWT-to-Cookie Chain) | |||||
| Token listing page SL-API-006 | Full | Body 401 | 302 | N/A | N/A |
| Token edit page (full plaintext!) SL-API-008 | Full | Full | 302 | N/A | N/A |
| Token unmask via xajax SL-API-008 | Full | Empty | 302 | N/A | N/A |
| Cross-tenant company data SL-API-010 | Full | Full | 302 | N/A | N/A |
| XML/JSON API (Unauthenticated with Token) | |||||
| Property data (WiFi, GPS, addresses) SL-API-009 | REST only | REST only | Blocked | 85 props | WP only |
| Create / Cancel reservations | REST only | REST only | Blocked | Write | Blocked |
| Read / Modify reservations | REST only | REST only | Blocked | Blocked | R + W |
| Payment account access | REST only | REST only | Blocked | Blocked | R + W |
| Contract creation (e-signature) | N/A | N/A | Blocked | Blocked | Write |
| Work order assignment | REST only | REST only | Blocked | Write | Blocked |
| Token Lifecycle | |||||
| Credential lifetime | 24h JWT | 24h JWT | Session | 30-day | Perpetual |
| IP binding | Not enforced | Not enforced | None | None | None |
| Requires user session | Yes | Yes | Yes | No | No |
| Escalation Step | From | To | Finding | Result |
|---|---|---|---|---|
| XSS to Full Booking Lifecycle Control | ||||
| 1. Steal JWT via XSS | XSS (prior assessment) | JWT Token | SL-CRIT-001 | Full REST API |
| 2. JWT to Cookie bootstrap | JWT Bearer | Streamline Cookie | SL-API-005 | Legacy Pages |
| 3. Cookie to plaintext API tokens | Streamline Cookie | Plaintext Tokens | SL-API-008 | 2 Active Tokens |
| 4. Tokens to unauthenticated API | Static Token | XML/JSON API | SL-API-009 | Permanent Access |
| Impact at Each Stage | ||||
| After Step 1: REST API access | 56+ endpoints, third-party credentials (Pusher, RingCentral, CKEditor), email/SMS/Airbnb accounts, auth hashes. Usable from any IP (SL-API-001). CORS allows cross-origin (SL-API-002). | |||
| After Step 2: Legacy pages | Token management UI, cross-tenant company data (100s of companies), xajax framework access. Cookie has no HttpOnly/Secure/SameSite flags. | |||
| After Step 3: Token recovery | Both active tokens recovered in plaintext. SLAPP (tk7227, 30-day) and Streamsign (tk8766, perpetual). Tokens work without any session. | |||
| After Step 4: Full compromise | 85 properties with WiFi passwords + GPS + addresses. Full booking lifecycle: create, modify, cancel reservations. Payment account manipulation. Contract creation. Work order reassignment. Streamsign token never expires — permanent, session-independent, IP-unrestricted access. | |||