Pen Test 2022 Results
- Lisa Clancy
Issue | A05 Security Misconfiguration – ReadMe File May Identify Site Software |
Priority | Low |
EP Number | |
Resolution: | We have raised a request with our Hosting Partner - to remove access/delete readme file. |
Issue | A05 Security Misconfiguration – Missing Recommended Security Header |
Priority | Low |
EP Number | |
Resolution | Awaiting further clarification from Pen Testers. |
Issue | A05 Security Misconfiguration - Missing Sub resource Integrity (SRI) for External Script |
Priority | Low |
EP Number | |
Resolution | We have updated external front end dependencies to now have a generated integrity hash, this allows the browser to verify the contents have not been manipulated in transit. |
Issue | A05 Security Misconfiguration - Source Map Disclosure |
Priority | Low |
EP Number | |
Resolution: | We have removed the .map files generated by our front end build process. |
Issue | A05 Security Misconfiguration - Swagger API Structure Exposed |
Priority | Low |
EP Number | |
Resolution: | Adjusted our api_docs endpoint to only be accessible when the application in running in test mode. |
Issue | Reopened - Using Components with Known Vulnerabilities - Out-of-Date Components Identified |
Priority | medium |
EP Number | |
Resolution: | On the previous Pen Test we had removed all jQuery 2.1.1 from the application, we have now removed the jQuery 2.1.1 files also. |
Issue | Reopened - Security Misconfiguration – Potentially Dangerous File Type Upload AllowedThis issue has been partially resolved. The potentially harmful python file extensions reported in this issue are no longer accepted by the uploader. However, other potentially dangerous file types such as PHP, EXE, and ZIP are still allowed. |
Priority | medium |
EP Number | |
Resolution: | Work is scheduled for next sprint. |