# Passwd internal audit 09-2022 - OWASP top 10 2021 review - Used - BlackBox testing (URL exploration via app) - and WhiteBox testing (checking the code and internal structure) ### A01:2021 – Broken Access Control - Checked all routes and their behavior with an insufficient role - Checked Firestore direct access via web API keys and rules setup - Tested admin routes with testing keys #### Unsecured admin routes - Low - Description: Mocking API user response with field `isAdmin: true` shows all pages in the UI available for admin. Some of these pages are available even though used account has not admin role. - Accessible pages: - `/security-audit` - `/secret-validations` - Proposed solution: - Do not allow non-admin users to use these routes - [Implement ACL system based on "deny-by-default" principle](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html#deny-by-default) ### A02:2021 – Cryptographic Failures - Checked usage of algorithm for encryption and secure storage for keys - The checked transition of password trough HTTPS - No vulnerability found ### A03:2021 – Injection - Checked all post routes and possible filters used in the app - Tried some #### Missing vlidation for input fields - Medium - Description: - User can fill not valid URL into `web` attribute in secrets that can be used in href attribute and lead to XSS attack in the future. - Route: `POST /api/v2/secrets` - Example input: ```json { "name": "injetion", "username": "javascript:alert(8007)", "password": "javascript:alert(8007)", "web": "javascript:alert(8007)", "note": "", "tags": [], "groups": [], "whitelistUsers": [] } ``` - Vulnerability: XSS - Proposed solution: Add proper validation for input fields on BE side ### A04:2021 – Insecure Design - Checked API code and endpoints for vulnerabilities similar to [CWEs](https://owasp.org/Top10/A04_2021-Insecure_Design/) - Checked RESTful design and possible filters on endpoints #### Unlimited number of shown records - Medium - Description: - Current implementation has no pagination over data. - All secrets are returned in one request without any limiting - Search and filtering is performed on client side - Attacker can easily repeat creation of new secrets until the frontend or backend application will collapse on huge amount of data - Vulnerability: Resource consumption - Proposed solution: - Use limit / pagination on all routes where we can expect huge amount of data - Avoid heavy operations on FE (search, filtering of tags) - Rate limit post operations for users #### Missing filesize limitation for uploads - Low - Description: - Current implementation allows all users to upload file to an endpoint with any size - Vulnerable routes: - `POST /secrets-validation` - `PATH /secrets` - [CWE-434](https://cwe.mitre.org/data/definitions/434.html) - Vulnerability: Resource consumption - Proposed solution: Check file size limit on both client and backend side #### Email in a query string - Low - Description: - Email gets to logs via query URL - `GET /contracts?q=example@example.org` - Vulnerability: Email can be leaked - Proposed solution: Email in query string should be encrypted or used in body and avoided from logs ### A05:2021 – Security Misconfiguration - Checked all possible configurations and their values on the internal production app - Checked development and testing keys on production endpoints - Found possible vulnerability with the sandobox setting - one place, allows destructive endpoints even on production if set to true - possible solution: - Do not allow sandbox configuration on production - Create a sandbox app outside of the original repository (e.g. fork) ### A06:2021 – Vulnerable and Outdated Components - Tested with the direct check on APIs codebase #### Missing node 16 security release - Medium - Description: [List of node security releases](https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/) - Proposed solution: Upgrade node to 16.17.1 LTS version #### Vulnerability in Jose package - Low - A new issue, will be caught by pipeline check with the next release - Description [Vunlerability reference](https://github.com/advisories/GHSA-jv3g-j58f-9mq9) - Proposed solution: `npm audit fix` - npm audit output: ``` jose >=2.0 <=2.0.5 Severity: Moderate JOSE vulnerable to resource exhaustion via specifically crafted JWE - https://github.com/advisories/GHSA-jv3g-j58f-9mq9 ``` - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ #### Outdated dependencies faker and desmond - Very low - Description: `faker` and `desmond` are not maintained anymore (no security patches) - Vulnerability: Packages can contain security vulnerabilities that won't be fixed in the future. - Proposed solution: If possible, replace these packages (e.g. [@faker-js/faker](https://www.npmjs.com/package/@faker-js/faker)) #### Unnecessary dependencies on production - Very low - Description: - Some of the dependencies are used on production even though they are included in the project for development purposes - `lint-staged` - `jshint` - `npm-check-updates` - Vulnerability: Packages can contain security vulnerabilities that won't be fixed in the future. - Proposed solution: If possible replace these packages #### Unused dependencies - Very low - Description: - API is depending on the production unused libraries: - `axios`, - `unicore`, - `protobufjs` - `date-fns-tz` - `firebase-admin` (see transitive dependencies) - Also there are unused development dependencies: - `tslint` - `tslint-config-ackee` - Vulnerability: Unused dependencies can provide unnecessary vulnerabilities - Proposed solution: Remove these dependencies #### Transitive dependencies - Very low - Description: API is using 2 transitive dependencies - `google-auth-library` - `@google-cloud/firestore` - Vulnerability: New versions of direct dependencies can omit transitive dependencies or use newer breaking versions - Proposed solution: Use transitive dependencies as direct dependencies ### A07:2021 – Identification and Authentication Failures - Authentification is based on Google OAuth and workspace settings - Security rules are based on workspace settings (e.g. enforcing 2FA) - no issues with the usage of Google API were found ### A08:2021 – Software and Data Integrity Failures - Checked third-party libraries and their usage #### CORS settings on the production app - Low - Description: CORS is set for all incoming API eventhough there are only some origins that should be accepted - Proposed solution: Enable cors for the only client app to access the API ### A09:2021 – Security Logging and Monitoring Failures - Checked logs in GCP and HTTP responses #### Leaked stack trace - Medium - Description: - Production API errors contain stack trace. - Example request: `GET /api/v2/contacts?query=test%40example.org` - Returned value: ```json { "error": { "name": "Unauthorized", "status": 401, "path": "/api/v2/contacts", "errors": [ { "path": "/api/v2/contacts", "message": "Authorization header required" } ], "message": "Authorization header required", "stack": "Unauthorized: Authorization header required\n at Function.create (/usr/src/app/node_modules/express-openapi-validator/dist/framework/types.js:45:24)\n at /usr/src/app/node_modules/express-openapi-validator/dist/middlewares/openapi.security.js:78:43\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)" } } ``` - Vulnerability: Exposed code structure in responses. An attacker can through error responses get information about the system and its vulnerabilities - Proposed solution: Remove stack trace from error responses on live environments ### A10:2021 – Server-Side Request Forgery (SSRF) - Checked used libraries and their usage - No issue was found