Pen Test 2023 Results
- Lisa Clancy
Whilst more were logged during the test, these were directly related to the test being performed on our development site. We have excluded these from this listing: -
Security Misconfiguration – Stack Trace Observed - We can confirm that stack traces are disabled on all live/production environments. This is purely present as it is our dev environment.
Security Misconfiguration - Laravel Debugging Enabled -this is purely related to the fact that it is a development environment and is already disabled on the Production environment.
Security Misconfiguration - Stack Trace Available to Anonymous Users - To confirm this is only enabled on the development environment and is disabled on our production environments
Issue | A04:2021 – Insecure Design - Delete EPA/EPA Manager Request Susceptible to CSRF |
Priority | Low |
EP Number | |
Resolution | We have updated the EPA/EPAM user listing screens to use the new condensed menu that is being rolled out across epaPRO. |
Issue | A06:2021 Vulnerable and Outdated Components |
Priority | Low |
EP Number | |
Resolution | Latest version of PHP was updated within the usual release cycle to the latest version, this was already scheduled to take place after the test was carried out. |
Issue | A07:2021 – Identification and Authentication Failures - Account Enumeration Possible Via Login Page |
Priority | Low |
EP Number | |
Resolution: | The test noted that there was a difference in styling on the error messages (bold vs. normal text). These instances now return the same, consistently styled error message to the user. |
Issue | Security Misconfiguration - Missing Sub resource Integrity For External Scripts |
Priority | Raised For Reference only |
EP Number | N/A |
Resolution: | Declined - we cannot add an SRI check here to validate the content, as Google necessitate implicit trust of their content. |
Issue | A02 - Cryptographic Failures – Weak Ciphers Within TLSv1.2 Supported |
Priority | Low |
EP Number | |
Resolution: | TBC |