-
Type:
Task
-
Status: To Do
-
Priority:
Medium
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: UI Refresh
-
Labels:None
-
Module:BenAdmin
-
Reported by:Harbinger
-
Issue Importance:Q2
-
Severity:Simple
Vulnerability Assessment and Penetration Testing for Workterra Web Application
Environment : Azure US
Company : Beta Security Test
Modules : BenAdmin
Execution : Manual + Tools (ZAP, Tamper Data, SQLMap)
- Vulnerability Assessment and Security Testing of
WORKTERRA web application
selected static and dynamic pages
Testing between SA,Partner,CA,Employee user roles - Application Security Verification Standard:
o Authentication
o Session Management
o Access Control
o Malicious Input Handling
o Error Handling and Logging
o Data Protection
o Communications Security
o Malicious Controls
o File and Resource - Comparison to OWASP Top 10 List
- Verification of Last Years bug fixes
CC : Rakesh RoySamirVijayendra ShindeBharti Satputeshyam sharmaVijay Siddha
- relates to
-
NF-2334 All Company- Employee Login - URL parameters - Security - URL parameters in all the SSM pages,reports are displayed in plain text.
-
- Closed
-
-
-
- Closed
-
-
-
- In LB Testing
-
-
-
- In Development
-
-
-
- Open
-
-
-
- Rejected
-
-
-
- Rejected
-
-
-
- Rejected
-
-
-
- Rejected
-
-
-
- Closed
-
-
-
- Rejected
-
-
-
- Rejected
-
-
-
- Rejected
-
-
-
- In Development
-
-
-
- Open
-
-
- Time Spent:
- 6h
-
Company Setup, Sanity Tetsing on Company
Admin Flow, Employee Flow
Admin flow record for ZAP active Scan
-
- Time Spent:
- 2.5h
-
Login Page, Forgot Pwd Page testing
-
- Time Spent:
- 4h
-
Testing on Azure for Employee Pages & Authorization failures
-
- Time Spent:
- 4h
-
Tried Interception on Change Passoword, Welcome Page, Demographics page
-
- Time Spent:
- 4h
-
Worked on Enroll Now page interceptions for cost and coverage.
-
- Time Spent:
- 3h
-
Test Plan for Stage/Production Security Testing -
Employee Pages- Login Page
- Static Pages
-
- Time Spent:
- 3h
-
Stage Environment
Testing for Employee SSM -
Upload document Page
Employee Beneficiary Page
Enroll Now Pages
-
- Time Spent:
- 3h
-
Testing on Stage for Forgot Password Page
and Static pages
-
- Time Spent:
- 1.75h
-
Testing for Onboard Tour Page URLs
-
- Time Spent:
- 2h
-
Test Plan, Authentication Test
-
- Time Spent:
- 1.5h
-
Internal Discussion with Rakesh
Test Plan Update
Discussion with Anirudha J for Task understanding
Internal discussion for Access Rights on company
-
- Time Spent:
- 5h
-
Security team discussion. Knowledge sharing
Tested below points on production with different user logins.
Error Handling & Logging
Access Control
-
- Time Spent:
- 8h
-
Tested below points on production with different user logins.
Error Handling & Logging
Access Control
-
- Time Spent:
- 2.25h
-
Discussion with Anirudha
Malicious input handling test
-
- Time Spent:
- 2h
-
Security Test Access Control, Input Validations
-
- Time Spent:
- 8h
-
Security team discussion. Knowledge sharing
Tested below points on production with different user logins.
Communication
-
- Time Spent:
- 8h
-
Security team discussion. Knowledge sharing
Tested below points on production with different user logins.
HTTP
-
- Time Spent:
- 8h
-
Security team discussion. Knowledge sharing
Tested below points on production with different user logins.
Business Logic
-
- Time Spent:
- 3h
-
Employee Flow Verification through ZAP
-
- Time Spent:
- 3.75h
-
Internal Discussion with Anirudha for ZAP flow verification
Security Test Execution
-
- Time Spent:
- 4h
-
Fuzzing, Spider & Active Scan
-
- Time Spent:
- 3h
-
Security test Scan
Issues & Reports
Internal Discusison
-
- Time Spent:
- 1h
-
Discussionw with santosh for ZAP issues
-
- Time Spent:
- 1h
-
Internal Discussions iwth Santosh and Anirudha
-
- Time Spent:
- 1h
-
Test Plan for Security- Azure
-
- Time Spent:
- 1h
-
Internal Discussion with Santosh, Samir
Internal Discussion Anirudha
Project Plan Updates
-
- Time Spent:
- 8h
-
Tested 'Login Page', 'Change Password', 'Localization Pages' pages for below security test checkpoints on pre-production environment.
Access Control
Malicious Input Handling
Session Management
AuthenticationReported defect related to login page vulnerability in the JIRA ID, NF-5482: [Security] Login page : Server Error with stack trace displayed on login page.
-
- Time Spent:
- 8h
-
Tested 'Partner Dashboard', 'Configure Dashboard' pages for below security test checkpoints on pre-production environment.
Access Control
Malicious Input Handling
Session Management
Authentication
-
- Time Spent:
- 8h
-
Tested 'User Access Policies' pages for below security test checkpoints on pre-production environment.
Access Control
Malicious Input Handling
Session Management
Authentication
-
- Time Spent:
- 8h
-
Tested 'Add Company', 'Search company' pages for below security test checkpoints on pre-production environment.
Access Control
Malicious Input Handling
Session Management
Authentication
-
- Time Spent:
- 8h
-
Tested 'Change Employee Password', 'Change Employee Status', 'User Credentials Settings' pages for below security test checkpoints on pre-production environment.
Access Control
Malicious Input Handling
Session Management
Authentication
-
- Time Spent:
- 3h
-
Security Test
Internal Discussions
ZAP Scan
Shailesh Chikate (Inactive)
logged work - 21/Dec/17 10:57 AM -
- Time Spent:
- 5h
-
1. Discussion regarding the security testing for the mobile Application
2. Review the mobile security testing points shared by Prasad
Shailesh Chikate (Inactive)
logged work - 22/Dec/17 10:58 AM -
- Time Spent:
- 3h
-
Review the mobile security testing points shared by Prasad
-
- Time Spent:
- 4h
-
Web App Security Test
Shailesh Chikate (Inactive)
logged work - 16/Jan/18 11:32 AM -
- Time Spent:
- 5h
-
1. Discussion with the mobile team regarding the APK installation
2. Started Security testing on the Android mobile
Shailesh Chikate (Inactive)
logged work - 17/Jan/18 11:32 AM -
- Time Spent:
- 5h
-
1. Self Serve Mode Security Testing
-
- Time Spent:
- 2.5h
-
Mobile Secutity Testing for Android and Ios
Shailesh Chikate (Inactive)
logged work - 30/Jan/18 01:25 PM -
- Time Spent:
- 8h
-
Debugging the issues encountered during the testing of Mobile Security testing.
Shailesh Chikate (Inactive)
logged work - 31/Jan/18 01:20 PM -
- Time Spent:
- 8h
-
Debugging the issues encountered during mobile Security Testing
Shailesh Chikate (Inactive)
logged work - 01/Feb/18 12:01 PM -
- Time Spent:
- 6.5h
-
Mobile Security testing on Android device.
Shailesh Chikate (Inactive)
logged work - 07/Feb/18 11:49 AM -
- Time Spent:
- 8h
-
Mobile Security Testing on Mobile Device.
Shailesh Chikate (Inactive)
logged work - 08/Feb/18 11:46 AM -
- Time Spent:
- 4h
-
Mobile Security Testing on Android device.
-
- Time Spent:
- 2h
-
IOS Security Test
Build verification and Discusion with Rohan
-
- Time Spent:
- 2.5h
-
Internal Discussion and Security test for ipad
-
- Time Spent:
- 4h
-
Security TEst for remaining part of IOS app
Internal Discusison with Shailesh and Mobile Team QA
Shailesh Chikate (Inactive)
logged work - 19/Feb/18 11:37 AM -
- Time Spent:
- 8h
-
Mobile Security Testing on Android Device
-
- Time Spent:
- 3h
-
Test Status meeting with Samir, Vijayendra and Santosh
Discussion with Vijayendra and Pratap
ZAP run and Analysis for findings to be shared on Reports
-
- Time Spent:
- 7.5h
-
Mobile Security testing on Android device
-
- Time Spent:
- 4h
-
Web Remediation Plan Verification for Benchmarking of Security on Preprod environment
Shailesh Chikate (Inactive)
logged work - 22/Feb/18 12:03 PM -
- Time Spent:
- 8h
-
Security Testing on Android Device.
-
- Time Spent:
- 5h
-
Remediation Sheet test scenarios Verification
Internal Discussions
Shailesh Chikate (Inactive)
logged work - 23/Feb/18 01:18 PM -
- Time Spent:
- 8h
-
1. Manual Execution of Security Testing Scenarios on Mobile application Android device
2. Preparing the Security testing report for Manual execution
Shailesh Chikate (Inactive)
logged work - 27/Feb/18 01:30 PM -
- Time Spent:
- 8h
-
1. ZAP Scenario Record and scheduling active scan
2. Created two employees on the PreProd environment to record the scenario
-
- Time Spent:
- 2h
-
Mobile Team - ZAP Scenario reocrd, Active Scan,
Shailesh Chikate (Inactive)
logged work - 28/Feb/18 01:24 PM -
- Time Spent:
- 8h
-
1. ZAP Scenario Record and scheduling active scan
2. Created two employees on the PreProd environment to record the scenario
Shailesh Chikate (Inactive)
logged work - 01/Mar/18 06:57 AM -
- Time Spent:
- 8h
-
- Analysis of security test execution report
- Understanding of ZAP tool.
-
- Time Spent:
- 1.5h
-
ZAP Report for IOS
Discussion and Verification with Shailesh
Shailesh Chikate (Inactive)
logged work - 05/Mar/18 05:01 AM -
- Time Spent:
- 8h
-
1. Exploring the ZAP tool for Web Security testing
Shailesh Chikate (Inactive)
logged work - 06/Mar/18 05:02 AM -
- Time Spent:
- 8h
-
1. Exploring the ZAP tool for Web Security testing
-
- Time Spent:
- 4h
-
Security PPTs and Reports documentation
OLD Issue closure
-
- Time Spent:
- 2h
-
Security PPTs updates for Presentation
Test Report Document
PenTest Tools Read
