-
Type: Task
-
Status: To Do
-
Priority: Medium
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: UI Refresh
-
Labels:None
-
Module:BenAdmin
-
Reported by:Harbinger
-
Issue Importance:Q2
-
Severity:Simple
Vulnerability Assessment and Penetration Testing for Workterra Web Application
Environment : Azure US
Company : Beta Security Test
Modules : BenAdmin
Execution : Manual + Tools (ZAP, Tamper Data, SQLMap)
- Vulnerability Assessment and Security Testing of
WORKTERRA web application
selected static and dynamic pages
Testing between SA,Partner,CA,Employee user roles - Application Security Verification Standard:
o Authentication
o Session Management
o Access Control
o Malicious Input Handling
o Error Handling and Logging
o Data Protection
o Communications Security
o Malicious Controls
o File and Resource - Comparison to OWASP Top 10 List
- Verification of Last Years bug fixes
CC : Rakesh RoySamirVijayendra ShindeBharti Satputeshyam sharmaVijay Siddha
- relates to
-
NF-2334 All Company- Employee Login - URL parameters - Security - URL parameters in all the SSM pages,reports are displayed in plain text.
- Closed
-
NF-2965 [Security]-[Authorization Failure]-[Azure] Employee can access all Admin pages over the URL and able to update the customization/settings for those pages.
- Closed
-
NF-3852 [Security] All Company - EE Login - Enroll Now - Request parameters values on Enroll Now page get altered and can be saved successfully.
- In LB Testing
-
WT-9842 [Security]-[Authorization Failure] Employee & Company Admin can access the 'Dashboard Configuration' page over the URL.
- In Development
-
WT-10522 [Security] [ZAP-Active Scan Alert] Cross Site Scripting attack reflected on Forgot Password Page.
- Open
-
WT-10523 [Security] [ZAP-Active Scan Alert] Buffer Overflow error reported for images load request in Benadmin.
- Rejected
-
WT-10524 [Security] [ZAP-Active Scan Alert] Format String Error reported for LanguageName parameter.
- Rejected
-
WT-12172 [Security] [ZAP-Active Scan Alert] Remote OS Command Injection
- Rejected
-
WT-12173 [Security] [ZAP-Active Scan Alert] Buffer Over Flow issue
- Rejected
-
WT-12633 [Security] ZAP- Scan report Issue : Application Error Disclosure
- Closed
-
WT-12634 [Security] ZAP Scan reported Issue : X-Content-Type-Options Header Missing
- Rejected
-
WT-12635 [Security] ZAP Scan Issue : Incomplete or No Cache-control and Pragma HTTP Header Set
- Rejected
-
WT-12636 [Security] ZAP Scan Issues : Password Autocomplete in Browser
- Rejected
-
WT-12637 [Security] ZAP Scan Issue : Cookie No HttpOnly Flag
- In Development
-
WT-12639 [Security] ZAP Scan reported issue : Cross-Domain JavaScript Source File Inclusion
- Open