Versions Compared

Old Version 2

changes.mady.by.user Uwe Wahser

Saved on

compared with

New Version Current

changes.mady.by.user Uwe Wahser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Content

Table of Contents
maxLevel6
minLevel1
include
outlinefalse
indent
excludeContent
typelist
printablefalse
class

Overview

Page Properties
idoverview

Date

2022-08-24

Status

Status
colourYellow
titleWIP

Release

Release 2022-04

TestType

automaticmixed

TestTopic

Code Review

ProjectContext

Project: Security 2022

Tester

SecurityOne

Standard

Background: Open Web Application Security Project (OWASP)

Result Summary

Vulnerabilities

Page Properties
idstatistics

Risk

Count

Critical

3

High

2

Medium

4

Low

0

We don't have a way to export this macro.

OWASP Top 10

A01

Status
colourGreen
titleNO

OWASP A01:2021 – Broken Access Control

A02

Status
colourGreen
titleNO

OWASP A02:2021 – Cryptographic Failures

A03

Status
colourRed
titleYES

OWASP A03:2021 – Injection

A04

Status
colourGreen
titleNO

OWASP A04:2021 – Insecure Design

A05

Status
colourYellow
titleWARNING

OWASP A05:2021 – Security Misconfiguration

A06

Status
colourRed
titleYES

OWASP A06:2021 – Vulnerable and Outdated Components

A07

Status
colourGreen
titleNO

OWASP A07:2021 – Identification and Authentication Failures

A08

Status
colourGreen
titleNO

OWASP A08:2021 – Software and Data Integrity Failures

A09

Status
titleNAP

OWASP A09:2021 – Security Logging and Monitoring Failures

A10

Status
colourGreen
titleNO

OWASP A10:2021 – Server-Side Request Forgery (SSRF)

Evaluation Methodology

SecurityONE has used seCode review is systematic examination of computer source code and reviews are done in various forms and can be accomplished in various stages of each organization S-SDLC. This document does not attempt to tell each organization how to implement code reviews in their organization, but this section does go over in generic terms and methodology of doing code reviews from informal
walkthroughs, formal inspections, or Tool-assisted code reviews.

  • Pre-Review Discovery
    A representative from the target application’s development team is asked to confirm the scope of the engagement. Trustwave requires a full list of the applications to be tested, design documentation, and third-party in-use, applications, and libraries used during the design, coding, and testing of the target application. This information allows the SecurityONE consultants to become familiar with the existing application environment prior to the commencement of the engagement.

  • Documentation Review
    SecurityONE conducts a detailed review of the existing documentation for each application listed in this proposal, including design documents, concept of operations, and source code listings. On an as-needed basis, SecurityONE requests clarification on components of the site, functionality, program flow, and design issues.

  • Architecture and Product Familiarization
    SecurityONE reviews the overall architecture of the application to become familiar with the security issues resulting from any third-party tools, applications, libraries, or services being used. This includes interface specifications for any pre-existing libraries or utilities, as well as security vulnerabilities or known issues with commercial tools and applications.

  • Static and Manual Source Code Analysis
    The SecurityONE team performs a detailed, manual analysis of the application source code. Many of the vulnerabilities discovered in a source code review are like vulnerabilities discovered during an Application Penetration Test. Unlike a penetration test, a code review allows for a greater breadth of coverage and an increased confidence level in the results of the assessment. This is principally a result of having a fuller understanding of the design, software architecture and its internals, allowing identified vulnerabilities to have their exploitability fully assessed from a risk perspective.

Detailed Results

Vulnerability

Risk

Component

Impact

Status

Multiple outdated dependencies in frontend Dockerfile

Critical

npm node:16 base image

The base image should be upgraded to node:16.17.0-bullseye-slim

(tick)

Multiple outdated dependencies in backend Dockerfile

Critical

python:3.8-buster

The base image should be upgraded to python:3.9.13-slim

(tick)

Multiple outdated dependencies in requirements.txt

Critical

pyjwt@1.7.0
django@3.0.14
gitpython@3.1.24

The following modules/libraries should be upgraded to:
pyjwt@2.4.0
django@3.2.15
gitpython@3.1.27

(tick)

Multiple outdated dependencies in package.json

High

react-scripts@4.0.3

The following modules/libraries should be upgraded to react-scripts@5.0.0

(tick)

Password Stored as Environment Variable in plaintext

High

DB_Password

Consider storing the password in any encrypted form (secure string on Windows or AES encrypted on Linux systems)

(tick)

Cross-Site Request Forgery (CSRF)

Medium

openimis-fe_js/server.js

Considering that the underlying application is built on express, a specific middleware such as csurf should be use that implement CSRF protections

🧑‍🏭

Command Injection

Medium

openimis-fe_js/dev_tools/installModuleLocally.js

Any user input should be first sanitized and then strongly checked to respect specific formats (blacklists/regex match) before being used in a shell command.

🧑‍🏭

Information Exposure

Medium

openimis-fe_js/server.js

Consider using the Helmet middleware that disables the X-Powered-By header

🧑‍🏭

Allocation of Resources Without Limits or Throttling

Medium

openimis-fe_js/server.js

Consider using a rate-limiting middleware such as express-limit

🧑‍🏭

Remediation

All critical and high risk errors were fixed immedeatly ((tick) ). Lower risk errors were adressed in the issue queue (🧑‍🏭 ). No instances in countries were affected.

Report

View file
nameOpenIMIS - Source Code Review.pdf

PDF
nameOpenIMIS - Source Code Review.pdf