2021-12 Penetration Test
- Uwe Wahser
Content
Overview
Date | 2021-12-06 |
|---|---|
Status | FIXED |
Release | |
TestType | automatic |
TestTopic | Penetration Test |
Context | |
Tester | |
Standard |
Result Summary
Vulnerabilities
Risk | Count |
|---|---|
Critical | 2 |
High | 2 |
Medium | 3 |
Low | 1 |
OWASP Top 10
A01 | YES | |
|---|---|---|
A02 | NO | |
A03 | YES | |
A04 | YES | |
A05 | YES | |
A06 | NO | |
A07 | NO | |
A08 | NO | |
A09 | NO | |
A10 | YES |
Methodology
SecurityONE based the findings and recommendations presented in this report on manual and automatic web application vulnerability scanning and penetration testing against the web application.
Automatic web application scanning:
SecurityONE has used several commercial tools to analyze the target environment and identify potential vulnerabilities. Automatic scanning software identifies application-level vulnerabilities.Web application manual testing:
Using the information generated by the automated testing software, SecurityONE also used manual testing techniques to identify and try to exploit additional vulnerabilities in the targeted application and to eliminate false positives caused by the automated scanning process. The assessment was conducted in accordance with best practices in the industry, defined by such methodologies as ISECOM's Open-Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP).
Detailed Results
Vulnerability | Risk | Impact | Status |
|---|---|---|---|
Blind SQL injection (SQLi) | Critical | This vulnerability not only allows an attacker to retrieve all of the data from the database, but for issuing commands to the database to interact with remote attacker-controlled systems. |
|
GraphQL Broken Authorization | Critical | This allows a low privileged attacker to perform any action an admin is allowed to, by crafting requests, easily enumerable and identifiable due to Introspection being enabled, including changing any user’s passwords, escalating privileges to an admin, etc. |
|
Blind XML external entity injection (XXE) | High | External entities can reference files on the parser’s filesystem; exploiting this feature may allow retrieval of arbitrary files, or denial of service by causing the server to read from a file. |
|
Local file inclusion (LFI) | High | This vulnerability can lead to information disclosure of files stored in Web Server, passwords/database access, log files and complete system compromise. |
|
Referrer dependent pages enabled | Medium | This can allow attackers to bypass the GraphQL API along with any security restrictions implemented for the API. |
|
Default Passwords Hardcoded | Medium | In the openIMIS environment, an attacker with access with these passwords can access confidential information. |
|
GraphQL API, Introspection Enabled, Exposed GraphQL Development Console | Medium | An attacker can map out the API’s schema and gather information related to its configuration. This could lead to further attacks and potential loss of sensitive information. |
|
Cookie Without SECURE flag | Low | To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. |
|
Remediation
Most issues affected the legacy part of openIMIS. All errors were fixed ( ) or rejected as not applicable ( ). All instances in countries which were affected were followed up until the security patches were applied or the system was migrated to a recent version of openIMIS.
Report
Did you encounter a problem or do you have a suggestion?
Please contact our Service Desk
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/