/
Pen Test 2021

Pen Test 2021

Issue

Broken Access Control – Employers & Provider Role Type Users can grant Sub Users with Admin Privileges

Priority

Minimum

EP Number

https://covalenttech.atlassian.net/browse/EP-2532EP-2532

Resolution:

We have identified and resolved a bug where users were able to bypass the reporting permissions and access a report they wouldn’t normally able to.

 

Additional checks have now been added and they will be denied access.

Issue

Cross Site Scripting (XSS) – Stored XSS Vulnerability Found

Priority

High

EP Number

https://covalenttech.atlassian.net/browse/EP-2351EP-2351

Resolution

We have added code to remove references to malicious scripts within any HTML content generated within EPA Pro, by use of the HTML editor on the following screens:

·       Assessment Centre

·       Email Manager

·       Gateway Specification

·       Pages

·       News

Issue

Using Components with Known Vulnerabilities – Out of date components identified

Priority

Medium

EP Number

https://covalenttech.atlassian.net/browse/EP-2573/https://covalenttech.atlassian.net/browse/EP-2582EP-2582

Resolution:

This issue will be fixed from updates to the jQuery and Bootstrap upgrades.

Issue

Sensitive Data Exposure – Internal Directory & Version Disclosed in Stack Trace

Priority

N/A

EP Number

N/A

Resolution

This issue arises on the development sites where such things are enabled for testing purposes. However, none of these are enabled on the Production sites.

Issue

Broken Access Control – Apprentice User can access Template Certificate

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-2533EP-2533

Resolution:

We have identified and resolved a bug where a user would be able to access a file for an area of the system they do not have permission to read, they will now be denied access.

 

All uploaded files have a randomly generated hash for the filename, meaning the name of the file would have needed to have been successfully guessed.

Issue

Security Misconfiguration – Web. Config File is Publicly Accessible

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-2534EP-2534

Resolution:

The publicly visible web.config file has been removed as this is not used in configuration.

Issue

Security Misconfiguration – Potentially Dangerous File Type Upload Allowed

Priority

Medium

EP Number

https://covalenttech.atlassian.net/browse/EP-2544EP-2544

Resolution:

New validation has been added to prevent file uploads based on file extension.

This additional layer of validation has been introduced to catch specific circumstances where the existing file checks were unable to distinguish between different plain texts.

Issue

Security Misconfiguration – XSRF Cookie without HTTPOnly Flag set

Priority

Low

SD Number

N/A

Resolution:

This is by design, that the cookie does not have the HTTPOnly flag set as it is a particular situation. Setting this cookie to HTTPOnly would make it useless and although the cookie is sent via the browser along with any request it is not read nor used by any of the backend application code.

Issue

Broken Access Control – Front End Validation/Restrictions Can be Bypassed

Priority

Medium

EP Number

https://covalenttech.atlassian.net/browse/EP-2548EP-2548

Resolution

User other than an Awarding Organisation user is able to change the role if they know how to modify the underlying request data. This will not be possible, and the modified value will be ignored.

Issue

Broken Access Control – Employer User can run reports not available through front end using URL enumeration

Priority

Medium

EP Number

https://covalenttech.atlassian.net/browse/EP-2545EP-2545

Resolution:

Users were able to bypass their reporting permissions and access a report they wouldn’t normally.

Additional checks have now been added and they will be denied access.

Issue

Broken Authentication – Lack of Cache Control

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-2457EP-2457

Resolution

Fixed a bug where a user would be able to access pages cached by the browser even when there weren’t logged in.