July 13, 2026
Uncovering the Unseen: Breaking WAF and Auditing Undocumented Backend Logic in a HealthTech…
Auditing hidden endpoints and bypassing WAF parameters in a HealthTech infrastructure using only a smartphone.

By black Angel
4 min read
Uncovering the Unseen: Breaking WAF and Auditing Undocumented Backend Logic in a HealthTech Platform (From a Smartphone) Executive Summary (TL;DR) This case study documents a full-lifecycle security audit of a prominent European HealthTech provider, Nexuzhealth. Working exclusively from a mobile device (smartphone), I managed to discover the platform's origin server IP hidden behind CloudFront, bypass its Web Application Firewall (WAF), and identify an undocumented backend parameter (postQuery) vulnerable to server-side logic injection. Despite encountering premature rejection from the bug bounty platform and later having the platform's Chief Information Security Officer (CISO) dismiss the verified 16.5-second injection delays as a "coincidence," the company silently patched the parameter immediately after receiving the direct report. Initially triaged and closed on Intigriti, the issue was later addressed via a silent patch after direct CVD follow-up with the organization. This write-up is published following the responsible disclosure industry standard of over 90 days. Phase 1: Reconnaissance & WAF Bypass from a Mobile Environment Conducting heavy reconnaissance on a smartphone presents significant infrastructure restrictions. Relying on customized mobile environments (including Termux, Kali NetHunter, and Firefox Nightly with specialized interception proxies), the first hurdle was overcoming CloudFront's perimeter defense. By utilizing advanced internet-wide scanning filters and cross-referencing SSL certificate hashes, I successfully enumerated the underlying architecture and exposed the platform's direct backend infrastructure: Target Domain: media.nexuzhealth.be Exposed Server Infrastructure: [ORIGIN_IP] By modifying host headers directly from my mobile interception proxy, I completely bypassed the CloudFront WAF rules, allowing direct, unfiltered communication with the internal application infrastructure. Phase 2: Discovery of the Undocumented postQuery Parameter During a manual code and parameter pollution audit of the /patient/xero/wado/ endpoints, I identified an input field that was completely omitted from public API documentation: postQuery. Initial fuzzing of this parameter yielded normal response times. However, introducing specific structural logical syntax triggered heavy back-end resource utilization. By injecting structured comparative syntax combined with time-delay calls, the application's response times spiked dramatically. Evidence of Time-Delay Exploitation: Below is the request captured directly on my mobile environment. The query injected into the undocumented postQuery parameter forced the underlying system into a prolonged processing state, resulting in an exact 16.5-second response latency.
Figure 1: Intercepted mobile payload targeting the hidden parameter, inducing a critical 16.5-second processing delay. Phase 3: Breaking the Backend Logic & Error Analysis To confirm that this latency wasn't a transient network anomaly, I performed iterative structural injections. Modifying the constraints forced the application to drop the connection entirely, throwing an internal server error (500 Internal Server Error). The raw stack trace returned by the backend exposed deep environmental details:
java.lang.IllegalArgumentException: Illegal constraint: NumberOfStudyRelatedInstances...
This error confirms that the injected string directly influenced the backend logic parser. The parameter was taking the input, evaluating it un-sanitized against an internal data structure, and forcing execution chains that delayed or crashed the thread.
Figure 2: Server response showing an explicit internal backend exception directly influenced by the injected logic constraints. Phase 4: The Platform Hurdle – Fighting Through a Flawed Triage The vulnerability was initially triaged and closed on Intigriti as out-of-scope/unreproducible. However, after direct CVD follow-up with Nexuzhealth's internal security team, the issue was validated and later addressed via a silent patch in production. Unfortunately, like many independent researchers face, the report encountered a massive wall of misunderstanding during the initial triage phase. The platform's reviewers closed the ticket prematurely, dismissing the 16.5-second logic delays as "temporary environment noise" or network hiccups, completely overlooking the underlying manual WAF bypass and the existence of the hidden parameter. Refusing to let a verified infrastructure flaw go unpatched, I had to spend extra weeks meticulously gathering raw backend exception logs and mapping the strict correlation between the injected constraints and server processing times. It was only after bypassing the platform's gatekeepers and engineering a direct line of communication to Nexuzhealth's internal security team that the technical reality of the finding was finally looked at. Phase 5: The Silent Patch & The CISO's Paradox Following ethical guidelines, a comprehensive report detailing the WAF bypass, the hidden parameter, and the behavior was submitted directly to Nexuzhealth's security team. The response from the company's Chief Information Security Officer (CISO), Mark Vanautgaerden, presented a striking contradiction. In an official communication, the CISO claimed that their engineering team could not reproduce the issue and concluded that the severe time delays were merely an "accidental coincidence" due to an in-memory evaluation filter. Its mitigation, however, tells a different story. In the very next sentence, the CISO admitted the critical nature of the finding by thanking me for bringing the undocumented parameter to their attention and explicitly stating that they would be permanently blocking it in production.
Figure 3: Official response from the CISO dismissing the flaw as a "coincidence" while simultaneously confirming a permanent silent patch for the undocumented parameter. This creates a clear security paradox: a company does not completely block a core parameter across production environments because of a "coincidence." The mitigation itself confirms that the parameter posed an unquantified risk to their backend systems. Phase 6: Conclusion & Timeline This case study demonstrates that critical, structural vulnerabilities can be thoroughly mapped, tested, and verified using nothing more than a standard smartphone, provided the researcher possesses deep technical patience. It also highlights an ongoing issue in the corporate world: dismissing a researcher's findings to avoid acknowledgment while quietly implementing their exact remediation recommendations. This disclosure strictly follows the industry-standard 90-day window for Coordinated Vulnerability Disclosure (CVD). The initial report was submitted in January 2026, and after more than five months of silence and a complete infrastructure patch, this information is released to educate the wider InfoSec community on the importance of auditing undocumented legacy parameters. January 20, 2026: Initial discovery and verification of WAF bypass and logic injection. January 23, 2026: Further behavior verification and error log documentation. February 14, 2026: Official response from CISO claiming "coincidence" but confirming a production block. July 2026: Public disclosure after 90+ days of silence and successful patching.
Written by: black_angel24 Independent Cybersecurity
Researcher