-
Type:
Bug
-
Status: Open
-
Priority:
Medium
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:Production
-
Bug Type:Functional
-
Bug Severity:Medium
-
Module:Platform - Security
-
Reported by:Harbinger
-
Company:All Clients/Multiple Clients
-
Item State:Development - On Hold
Scenario Traversed:
- Login with partner credentials.
- Select security testing company 'Beta testing 1'
- Navigate to Search employee and select any test employee.
- Navigate to Change employee password.
- Change the password of selected employee.
- Logout from the application.
Attached is the penetration test report of spidering above mentioned workflow from OWASP ZAP.
We have observed that the alerts under 'Low' category need to be addressed.
Satya Can you please assign this ticket to concerned developer.
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Satya [ ID10004 ] | Santosh Balid [ santosh.balid ] |
As discussed with Jaideep Vinchurkar, we will start working on this after development approval.
Regards,
Santosh
| Attachment | EnrollNowWithPartnerLogin.html [ 67884 ] |
| Attachment | StaticReport_Spider.html [ 67885 ] |
| Remaining Estimate | 0h [ 0 ] | |
| Time Spent | 1h [ 3600 ] | |
| Worklog Id | 92510 [ 92510 ] |
| Item State | Parent values: Development(10200)Level 1 values: In Analysis(10204) | |
| Original Estimate | 0h [ 0 ] |
| Time Spent | 1h [ 3600 ] | 3h [ 10800 ] |
| Worklog Id | 92761 [ 92761 ] |
Hi anirudha joshi,
The mentioned 'Beta testing 1' company is not available on production. I executed the mentioned steps on stage environment on 'Security Testing' Company, but the error you mentioned not reproducible.
Also I checked the attached zap scanned report... and if ZAP tool is assuming that the below URL is vulnerable as it is exposing the actual file path to user.
https://workterra.net/Platform/bundles/CommonJS?v=vI2J04AyFO0hS9wMzG4Iz0imWNN02ek41TBcSQ2vD1c1
Then , it is not correct , as the above path is not of the file path, it is virtual path with bundle information only.
I will investigate more on this and will share my findings .
Regards,
Santosh
| Attachment | InternalErrorScreen.jpg [ 68778 ] |
Hi anirudha joshi,
As discussed I am using 'Beta Company 1' for analysis of these issues.
Putting here the analysis for the issues in attached ZAP reports.
SearchEmp_Spider.html
1)Application Error Disclosure : I am not able to reproduce this 'Yellow Screen of Death' behavior . I observed that tool is giving suggestion based on the client side java script code scan. It is the default behavior of any browser technology that you can view source code in browser.
If you think you can do any malicious thing out of it, please let me know. But this doesn't seems to be vulnerable, and not reproducible manually as well.
See attached screen, which will useful to understand, based on what , ZAP tool has given this suggestion.
2)Password Autocomplete in Browser : This is also not reproducible, So could you please try this at your end and let me know in case if it is reproducible to you.
3)Cookie No HttpOnly Flag : Yes, we need to take care of this. While development we need to handle this such way that, we should pass a cookie value from server side code to function in java script code , so that after making 'IdForLoginValidation' cookie as HTTPOnly, there will not be an issue while reading this cookie value in java script, as currently we are accessing this cookie inside WORKTERRALogin.js to check user session.
I will share the analysis on remaining points as soon as I did analysis on that.
Regards,
Santosh
| Time Spent | 3h [ 10800 ] | 10h [ 36000 ] |
| Worklog Id | 93458 [ 93458 ] |
| Time Spent | 10h [ 36000 ] | 14h [ 50400 ] |
| Worklog Id | 93992 [ 93992 ] |
Hi anirudha joshi,
Please find below analysis for : 4) X-Content-Type-Options Header Missing :
We have set <add name="X-Content-Type-Options" value="nosniff" /> in root level config file, so it will be applicable to all request by default. So browser Mime Type Sniffing feature could not cause vulnerabilities with file download.
Also We additionally check real mime type of file based on file signature, so in case if anyone tries to upload tampered files , those will not going to upload on server.
Could you please check at your end where you can upload tampered files on server. If you can do it with any of the file upload controls within application , please let us know.
Also let us know if you found any such malicious file which is already present on server, and you can download it and it can cause vulnerabilities.
Regards,
Santosh
| Time Spent | 14h [ 50400 ] | 18h [ 64800 ] |
| Worklog Id | 94332 [ 94332 ] |
| Item State | Parent values: Development(10200)Level 1 values: In Analysis(10204) | Parent values: Development(10200)Level 1 values: On Hold(10207) |
Please plan it in future sprints.
| Assignee | Santosh Balid [ santosh.balid ] | Gaurav Sodani [ gaurav.sodani ] |
| Link | This issue relates to DEV-13718 [ DEV-13718 ] |
Cc: Samir Jaideep Vinchurkar