Versions Compared

Old Version 1

changes.mady.by.user Uwe Wahser

Saved on

compared with

New Version 2

changes.mady.by.user Uwe Wahser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Content

Table of Contents
maxLevel6
minLevel1
include
outlinefalse
indent
excludeContent
typelist
printablefalse
class

Overview

Page Properties
idoverview

Date

2022-08-24

Status

Status
colourYellow
titleWIP

Release

Release 2022-04

TestType

automatic

TestTopic

Code Review

Project

Project: Security 2022

Tester

SecurityOne

Standard

Background: Open Web Application Security Project (OWASP)

Result Summary

Vulnerabilities

Page Properties

Risk

Count

Critical

3

High

2

Medium

4

Low

0

We don't have a way to export this macro.

OWASP Top 10

A01

Status
colourGreen
titleNO

OWASP A01:2021 – Broken Access Control

A02

Status
colourGreen
titleNO

OWASP A02:2021 – Cryptographic Failures

A03

Status
colourRed
titleYES

OWASP A03:2021 – Injection

A04

Status
colourGreen
titleNO

OWASP A04:2021 – Insecure Design

A05

Status
colourYellow
titleWARNING

OWASP A05:2021 – Security Misconfiguration

A06

Status
colourRed
titleYES

OWASP A06:2021 – Vulnerable and Outdated Components

A07

Status
colourGreen
titleNO

OWASP A07:2021 – Identification and Authentication Failures

A08

Status
colourGreen
titleNO

OWASP A08:2021 – Software and Data Integrity Failures

A09

Status
titleNAP

OWASP A09:2021 – Security Logging and Monitoring Failures

A10

Status
colourGreen
titleNO

OWASP A10:2021 – Server-Side Request Forgery (SSRF)

Detailed Results

Vulnerability

Risk

Component

Impact

Status

Multiple outdated dependencies in frontend Dockerfile

Critical

npm node:16 base image

The base image should be upgraded to node:16.17.0-bullseye-slim

(tick)

Multiple outdated dependencies in backend Dockerfile

Critical

python:3.8-buster

The base image should be upgraded to python:3.9.13-slim

(tick)

Multiple outdated dependencies in requirements.txt

Critical

pyjwt@1.7.0
django@3.0.14
gitpython@3.1.24

The following modules/libraries should be upgraded to:
pyjwt@2.4.0
django@3.2.15
gitpython@3.1.27

(tick)

Multiple outdated dependencies in package.json

High

react-scripts@4.0.3

The following modules/libraries should be upgraded to react-scripts@5.0.0

(tick)

Password Stored as Environment Variable in plaintext

High

DB_Password

Consider storing the password in any encrypted form (secure string on Windows or AES encrypted on Linux systems)

(tick)

Cross-Site Request Forgery (CSRF)

Medium

openimis-fe_js/server.js

Considering that the underlying application is built on express, a specific middleware such as csurf should be use that implement CSRF protections

🧑‍🏭

Command Injection

Medium

openimis-fe_js/dev_tools/installModuleLocally.js

Any user input should be first sanitized and then strongly checked to respect specific formats (blacklists/regex match) before being used in a shell command.

🧑‍🏭

Information Exposure

Medium

openimis-fe_js/server.js

Consider using the Helmet middleware that disables the X-Powered-By header

🧑‍🏭

Allocation of Resources Without Limits or Throttling

Medium

openimis-fe_js/server.js

Consider using a rate-limiting middleware such as express-limit

🧑‍🏭

Remediation

All critical and high risk errors were fixed immedeatly ((tick) ). Lower risk errors were adressed in the issue queue (🧑‍🏭 ). No instances in countries were affected.

Report

View file
nameOpenIMIS - Source Code Review.pdf

PDF
nameOpenIMIS - Source Code Review.pdf