Pen Test 2024 Results
We are independently penetration tested annually and this is done via our internal development site, this ensures that no real live data is affected.
Issue Summary
Below is a table showing the summary of the web application security in terms of severity and OWASP category.
OWASP Top 10 Issue Category Summary
Category | Total |
---|---|
A1: Broken Access Control | 1 |
A2: Cryptographic Failures | 1 |
A3: Injection | 0 |
A4: Insecure Design | 2 |
A5: Security Misconfiguration | 0 |
A6: Vulnerable and Outdated Components | 1 |
A7: Identification and Authentication Failures | 0 |
A8: Software and Data Integrity Failures | 0 |
A9: Security Logging and Monitoring Failures | 0 |
A10: Server-Side Request Forgery | 0 |
Issue | A01: Broken Access Control:- – Support Material Links Enumerable & Accessible by All Authenticated User Types |
Priority | Low |
EP Number | |
Resolution | Once this is released we will have improved the access control restrictions around support material file uploads and contracts. Links to support material uploads will now recheck the support material configuration, to ensure the user has access before returning the file for download. Contracts will also have been improved to ensure any terms file downloads are checked, before returning the file for download. |
Issue | A04: Insecure design:- Any User Can Disable Other Users MFA |
Priority | high |
EP Number | |
Resolution: | We are in the process of fixing this security issue raised in our recent Pentest around setting up and deactivating MFA. This is currently being tested. |
Issue | A04: Insecure Design:- Any User Can Add MFA to Another Users Account |
Priority | high |
EP Number | |
Resolution: | We are in the process of fixing this security issue raised in our recent Pentest around setting up and deactivating MFA. This is currently being tested. |
Issue | A06: Vulnerable and Outdated Components:- Laravel Version is No Longer Supported |
Priority | Low |
EP Number | |
Resolution: | We had already planned this upgrade into our sprint prior to the pen test and it is currently being checked internally. It required an upgrade of the main Laravel framework we use to build epaPRO. This upgrade will impact all of epaPRO, but should not change any functionality. |
Issue | A02 - Cryptographic Failures – Weak Ciphers Within TLSv1.2 Supported |
Priority | Low |
EP Number | |
Resolution: | TBC |