# BCEAO (www.bceao.int) -- Intelligence Report
**Date:** 2026-03-04
**Target:** Banque Centrale des Etats de l'Afrique de l'Ouest (Central Bank of West African States)
**URL:** https://www.bceao.int
**Coverage:** All 8 WAEMU/UEMOA member states (Benin, Burkina Faso, Cote d'Ivoire, Guinea-Bissau, Mali, Niger, Senegal, Togo)

---

## Infrastructure Fingerprint

| Component | Value |
|-----------|-------|
| CMS | Drupal 8 |
| Web Server | nginx/1.20.1 |
| PHP | Not exposed in headers (good) |
| Theme | Custom "medianet" |
| Caching | Drupal internal cache, 6-hour max-age |
| HTTPS | Yes, valid certificate |
| X-Frame-Options | SAMEORIGIN |
| CORS | Not observed |
| JSON API module | DISABLED (all /jsonapi/* return 404) |
| REST API | PARTIALLY ENABLED |

## Key Findings

### 1. REST Session Token Exposed (MEDIUM)
- **Endpoint:** `/rest/session/token`
- **Response:** `vcDLByr8Af5o1C0L8iC-gydAfQ-XocTUKUx30qS27D8`
- **Impact:** Anonymous CSRF token generation is enabled. This is default Drupal 8 behavior but combined with other REST endpoints could enable session-based attacks. The REST services module is active.

### 2. Drupal Node JSON Serialization Enabled (HIGH VALUE)
- **Endpoint pattern:** `/node/N?_format=json`
- **Accessible nodes:** 48 out of 100 tested returned full JSON content
- **Blocked nodes:** Nodes 1-6, 26-30 return 401 (Unauthorized) -- these are likely admin or restricted content
- **Content types exposed:**
  - `institutions` (nodes 7, 8, 9) -- UMOA subsidiary organizations
  - `page` (nodes 48, 52, 53, 54, 67) -- Institutional pages with full HTML body content
  - `page_documents` (node 31) -- Document listing pages
  - `documents` (nodes 33-39) -- Banking Commission circulars
  - `reunion` (nodes 49, 50, 51) -- Monetary Policy Committee meeting records
  - `page_reglementation` (nodes 56-61) -- Regulatory framework pages
  - `reglementation` (nodes 62-100+) -- Individual regulatory texts (instructions, decisions, directives)
- **Data leaked per node:** nid, uuid, vid, langcode, type, revision_timestamp, revision_uid (user ID), title, body (full HTML), status, created/changed timestamps, field_date, field_fichier (file references), field_description

### 3. User Account Enumeration
- **`/user/1?_format=json`** returns `{"message":"The 'access user profiles' permission is required and the user must be active."}` -- confirms user 1 exists, permission-gated
- **`/user/login`** -- Login form accessible (100KB, full Drupal 8 login form)
- **`/user/register`** -- Returns 403 (registration disabled, correct)

### 4. Revision UID Leakage
- Multiple nodes expose `revision_uid` pointing to user ID 1 with UUID `9d1f6176-fe5a-42a5-bd95-45bdd7fb0c90` and relative path `/en/user/1`. Another user observed: ID 120 (username "diogoul" visible in RSS feed).

### 5. Massive Sitemap (3,408 URLs)
- Full sitemap.xml contains 3,408 URLs covering:
  - Institutional pages, regulatory texts, press releases
  - Treasury bond auction notices (appels d'offres)
  - Member state pages, publications, events
  - Governor's speeches and interventions
- Provides complete content inventory for deeper enumeration

### 6. RSS Feed (10 items)
- Active RSS feed with recent content (Sept-Oct 2025 items)
- Reveals internal usernames in dc:creator tags (e.g., "diogoul")
- Contains full HTML body content of articles

### 7. CHANGELOG.txt Accessible but Sanitized
- `/core/CHANGELOG.txt` returns 399 bytes -- generic Drupal release cycle info only, no specific version number
- This means the exact Drupal 8.x.x version is not immediately determinable from this file

### 8. Exposed Internal Architecture
- **X-Drupal-Cache-Tags header** leaks massive internal configuration details:
  - 200+ block configurations (block names reveal full site architecture)
  - Content types: institutions, page, page_documents, documents, reunion, reglementation, etc.
  - Views: appels_offres, banner_index, bceao_news, communique_presse, etats_membres, institutions, interventions_du_gouverneur, publications, reglementations, reunions, tabs_home
  - Webforms: contactez_nous, newsletter
  - File IDs: Multiple file references (up to file:144208+)
  - Node IDs visible in cache tags (highest observed: 8761)

## Content Summary (Dumped Nodes)

| Content Type | Count | Description |
|-------------|-------|-------------|
| institutions | 3 | UMOA-Titres, CONOBAFI, FGD-UMOA |
| page | 5 | UMOA presentation, BCEAO presentation, UMOA Agency, CONOBAFI, BCEAO Missions |
| page_documents | 1 | Circulars listing |
| documents | 7 | Banking Commission circulars (2011) |
| reunion | 3 | Monetary Policy Committee meetings (2016) |
| page_reglementation | 6 | Regulatory framework categories |
| reglementation | 23+ | Individual regulations, instructions, directives |

## Files Saved

- `node-7.json` through `node-100.json` (48 valid JSON files)
- `rest-session-token.txt` -- CSRF token
- `user-1.json` -- User enumeration response
- `robots.txt` -- Standard Drupal 8 robots
- `rss.xml` -- 73KB RSS feed
- `sitemap.xml` -- 824KB, 3,408 URLs
- `CHANGELOG.txt` -- Generic Drupal info
- `user-login.html` -- Login form (100KB)

## Attack Surface Assessment

| Vector | Risk Level | Notes |
|--------|-----------|-------|
| Node JSON serialization | HIGH | 48+ nodes accessible, full content + metadata |
| REST session tokens | MEDIUM | Anonymous token generation active |
| User enumeration | LOW | User 1 confirmed, requires auth for profiles |
| Username leakage | LOW | "diogoul" exposed via RSS dc:creator |
| Cache tag info disclosure | MEDIUM | Full site architecture exposed in headers |
| Sitemap enumeration | LOW | 3,408 URLs for content discovery |
| JSON API | MITIGATED | Module disabled or not installed |
| Registration | MITIGATED | Disabled (403) |

## Recommendations for Further Recon
1. Enumerate nodes beyond 100 (cache tags show nodes up to 8761)
2. Try REST export views based on cache tag view names
3. Check `/en/` prefix variants for English language content
4. Test taxonomy term endpoints (`/taxonomy/term/N?_format=json`)
5. Probe file entity endpoints (`/file/N` or `/sites/default/files/`)