Pen Test 2021
- Indervir Bansal (Unlicensed)
- Lisa Clancy
Issue | Broken Access Control – Employers & Provider Role Type Users can grant Sub Users with Admin Privileges |
Priority | Minimum |
EP Number | |
Resolution: | We have identified and resolved a bug where users were able to bypass the reporting permissions and access a report they wouldn’t normally able to.
Additional checks have now been added and they will be denied access. |
Issue | Cross Site Scripting (XSS) – Stored XSS Vulnerability Found |
Priority | High |
EP Number | |
Resolution | We have added code to remove references to malicious scripts within any HTML content generated within EPA Pro, by use of the HTML editor on the following screens: · Assessment Centre · Email Manager · Gateway Specification · Pages · News |
Issue | Using Components with Known Vulnerabilities – Out of date components identified |
Priority | Medium |
EP Number | https://covalenttech.atlassian.net/browse/EP-2573/https://covalenttech.atlassian.net/browse/EP-2582EP-2582 |
Resolution: | This issue will be fixed from updates to the jQuery and Bootstrap upgrades. |
Issue | Sensitive Data Exposure – Internal Directory & Version Disclosed in Stack Trace |
Priority | N/A |
EP Number | N/A |
Resolution | This issue arises on the development sites where such things are enabled for testing purposes. However, none of these are enabled on the Production sites. |
Issue | Broken Access Control – Apprentice User can access Template Certificate |
Priority | Low |
EP Number | |
Resolution: | We have identified and resolved a bug where a user would be able to access a file for an area of the system they do not have permission to read, they will now be denied access.
All uploaded files have a randomly generated hash for the filename, meaning the name of the file would have needed to have been successfully guessed. |
Issue | Security Misconfiguration – Web. Config File is Publicly Accessible |
Priority | Low |
EP Number | |
Resolution: | The publicly visible web.config file has been removed as this is not used in configuration. |
Issue | Security Misconfiguration – Potentially Dangerous File Type Upload Allowed |
Priority | Medium |
EP Number | |
Resolution: | New validation has been added to prevent file uploads based on file extension. This additional layer of validation has been introduced to catch specific circumstances where the existing file checks were unable to distinguish between different plain texts. |
Issue | Security Misconfiguration – XSRF Cookie without HTTPOnly Flag set |
Priority | Low |
SD Number | N/A |
Resolution: | This is by design, that the cookie does not have the HTTPOnly flag set as it is a particular situation. Setting this cookie to HTTPOnly would make it useless and although the cookie is sent via the browser along with any request it is not read nor used by any of the backend application code. |
Issue | Broken Access Control – Front End Validation/Restrictions Can be Bypassed |
Priority | Medium |
EP Number | |
Resolution | User other than an Awarding Organisation user is able to change the role if they know how to modify the underlying request data. This will not be possible, and the modified value will be ignored. |
Issue | Broken Access Control – Employer User can run reports not available through front end using URL enumeration |
Priority | Medium |
EP Number | |
Resolution: | Users were able to bypass their reporting permissions and access a report they wouldn’t normally. Additional checks have now been added and they will be denied access. |
Issue | Broken Authentication – Lack of Cache Control |
Priority | Low |
EP Number | |
Resolution | Fixed a bug where a user would be able to access pages cached by the browser even when there weren’t logged in. |