M
M
MOSIP Docs 1.2.0
Search…
⌃K

Security Test Report

Overview

This report contains all the security bugs that were identified in various MOSIP modules. This is a combination of both web application and API related security testing scenarios.

Timeline

This report is prepared based on the security testing performed on the 1.2.0 version of MOSIP.

Setup detail

For testing the modules we have used state of the art security testing tools such as Burpsuite Professional, owasp ZED attack proxy, wireguard and other Linux tools.

Web application details

In MOSIP we have three modules that have web-based UI interfaces. These modules are Preregistration, Administration and Partner-management-Portal. All three have been tested thoroughly.

API Details

All other modules in MOSIP do not have any web-based interface and these modules communicate with each other using APIs. The details of the APIs in MOSIP 1.2.0 are available here.

Summary of the findings by severity

Web Security Vulnerability Snapshot
Severity
Count
High
0
Medium
18
Low
8
Information
0
Total
26

Detailed Findings

Scenario 1

Current Status
Severity
Risk
Fixed
Medium
Low
Description
An attacker can steal a JWT cookie from the browser and try to extract any personal information that is available there. 1. Install cookie manager plugin in any browser 2. Login into the application and click cookie manager 3. Select JWT for current page 4. Copy the JWT and go to jwt.io website to decode the token 5. Check if any sensitive information is disclosed in the token's payload as this is mostly base64 encoded
Risk Assessment
For authentication and authorization in MOSIP we use JWT tokens. If any PII data is shared in the token, it would be considered a data breach.
Fix Recommendation
No PII data should be shared in the token.

Scenario 2

Current Status
Severity
Risk
Fixed
Medium
Low
Description
Attacker can steal JWT cookie from the browser and crack the JWT secret key 1. Get the JWT token using the cookie manager plugin 2. Run an automated tool to crack the JWT token and check if you can break the security key if the security key is weak
Risk Assessment
For authentication and authorization in MOSIP we use JWT tokens. If the token is broken, the secret key can be revealed as well as other important data can be exploited.
Fix Recommendation
A very strong and random secret key should be used and it should be changed at regular intervals.

Scenario 3

Current Status
Severity
Risk
Fixed
Low
Low
Description
Session was not getting invalidated after logout
Risk Assessment
If a session doesn't get invalidated after calling the logout API, then the risk of any attacker taking over the session becomes high.
Fix Recommendation
The session must be invalidated as soon as the user calls the logout API. After the token gets invalidated, all the access for the token should be removed.

Scenario 4

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Attacker can bypass authentication using SQL injection or LDAP injection. Sometimes due to insufficient data sanitation and testing, attackers can break in. This has a very high security risk.
Risk Assessment
If an attacker bypasses authentication, then a lot of other vulnerabilities can be exploited by the attacker.
Fix Recommendation
In our modules, we don’t use username and password externally, hence this is inapplicable.

Scenario 5

Current Status
Severity
Risk
Known issue, not a vulnerability
Medium
Medium
Description
An attacker can monitor the request and response and change the request parameters. If an attacker uses certain proxy tools, he/she will be able to monitor the requests and responses of certain users in the network.
Risk Assessment
It allows the PII data of an individual to be leaked. It can also lead to generation of faulty data and incomplete profiles.
Fix Recommendation
Most of the data should be sent in an encrypted manner.

Scenario 6

Current Status
Severity
Risk
Known issue, not a vulnerability
Medium
Low
Description
An attacker can overload the system by sending thousands of requests
Risk Assessment
A denial of service (DoS) attack can take place if an attacker uses a tool to send thousands of requests each minute, which may cause server to crash or be inefficient.
Fix Recommendation
There should be a limit on number of times an user can send a request, and there must be blacklisting method for disabling users who are sending too many requests.

Scenario 7

Current Status
Severity
Risk
Known issue, not a vulnerability
Low
Low
Description
An attacker can try a dictionary attack or a brute force method to get the userId and password.
Risk Assessment
With a sophisticated tool an attacker can try to brute force through the initial login page. If he is successful, He will be able to further attack all the available options that an admin has.
Fix Recommendation
The passwords have to be strong and authentication should not allow numerous attempts.

Scenario 8

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
An attacker can put XSS scripts that will be executed on victims browser
Risk Assessment
If an attacker gets through admin login, he will be able to use malicious scripts through the UI and can take over the server.
Fix Recommendation
All inputs by user’s should be considered as potentially dangerous and must pass through sanity. It should always be treated as text and not scripts. In mosip we use anti-xss configuration as well.

Scenario 9

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
An attacker can try to upload malicious files
Risk Assessment
Malicious file upload can be a considered one of the high risk attacks. An attacker can create a malicious file with script sin the file name or scripts hidden inside the meta data of the file and the server may execute it.
Fix Recommendation
In admin portal there are two types of uploads ".CSV" and ".csr". Both of these inputs are sanitized and are validated before being used by the code.

Scenario 10

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Attackers can try Null Byte upload or try to change the file extension.
Risk Assessment
If Null byte injected payloads get through and get executed, there is a good chance malicious files can be uploaded, may even lead to RCE.
Fix Recommendation
Sanitation of every input is done thoroughly, all the filenames and extensions are whitelisted and checked before being used.

Scenario 11

Current Status
Severity
Risk
Fixed
Low
Medium
Description
An attacker can try to attempt to upload oversized files to cause buffer overload.
Risk Assessment
If buffer overload attacks are tried and are successful it can lead to server crashing and can cause issues with the day to day operation of the project.
Fix Recommendation
In MOSIP,the size limit is set to 4 Megabytes, which is configurable and hence buffer overload threat is mitigated.

Scenario 12

Current Status
Severity
Risk
Known Issue
Low
Medium
Description
An attackers can try different methods to expose the used server name and version. It is otherwise known as banner grabbing.
Risk Assessment
Banner grabbing is not a direct vulnerability however it may lead attackers to try newly exposed vulnerability of software or framework that has not been patched yet.
Fix Recommendation
In MOSIP, configurations have been changed and updated so that these values are not accessible to external users. The patches are also updated regularly.

Scenario 13

Current Status
Severity
Risk
Known Issue
Medium
Medium
Description
Attackers can try path traversal/Directory Traversal attacks.
Risk Assessment
If path traversal is allowed the attacker will try to find any important files through adding ../../ to the url in the request.
Fix Recommendation
In MOSIP, path traversal is not allowed and all files are secured robustly. We use server configurations to sanitize the URLs.

Scenario 14

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Attackers can try CSRF attacks
Risk Assessment
A CSRF or a Cross Site Request Forgery is a very dangerous vulnerability. In a CSRF attack an attacker can send a malicious link to an authentic user and if the website is susceptible to CSRF attack then it will allow the attacker to steal the token of the user and access to the server.
Fix Recommendation
CSRF is blocked in MOSIP, using anti-CSRF configurations.

Scenario 15

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Attackers can try CORS attacks
Risk Assessment
CORS or Cross Origin Resource Sharing is equally dangerous. It allows external users to have access to resources that only intended user should have access to.
Fix Recommendation
CORS is also blocked in mosip using anti-CORS configurations.

Scenario 16

Current Status
Severity
Risk
Known Issue, not a vulnerability.
Low
Medium
Description
Attackers can try header manipulation attacks
Risk Assessment
In a Header manipulation attack an attacker changes the headers of the requests to see if it shows any values or errors in response. Without right validation these Headers can cause unwanted changes in DB and Server.
Fix Recommendation
In MOSIP, each request is whitelisted with only the one header it is required to have and manipulating header values will

Scenario 17

Current Status
Severity
Risk
Known Issue, not a vulnerability.
Low
Medium
Description
An attacker with access to admin UI can try to upload incorrect certificates.
Risk Assessment
The certificates are key to establishing the trust chain among various modules in MOSIP. If an incorrect certificate gets through and replaces a valid one, it may cause the module to stop working all together.
Fix Recommendation
In MOSIP, we require a specific format to upload certificates and before accepting any certificate we match the public key modulus of the certificates.

Scenario 18

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Attackers can try request smuggling attacks.
Risk Assessment
Request smuggling although uncommon is still a very dangerous vulnerability. In request smuggling we send multiple packets of data in quick succession to try and deceive the server and use the incorrect packet of data.
Fix Recommendation
In MOSIP,we do not allow any external header and all the input are sanitized before being used by the server.

Scenario 19

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Attackers can try XXE injection attacks
Risk Assessment
XXE injections are used by attackers to input payloads into the logic of an XML application.
Fix Recommendation
The inputs are robustly sanitized before use and also special characters are not allowed in every field,to minimize risk.

Scenario 20

Current Status
Severity
Risk
Known issue, not a vulerability
Low
Medium
Description
Attackers can try to spoof /change biometric data or confidential data
Risk Assessment
If an attacker is able to successfully spoof or change the data of a person, then he/she would be able to make unwanted changes in the database.
Fix Recommendation
In MOSIP, each piece of data goes through multiple layers if encryption/decryption and signature validation. Hence, any spoofed or changed data will be invalid.

Scenario 21

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
An attacker can try double host header attacks
Risk Assessment
The double host header or multiple header attack allows the attacker to send malicious data or website links in the headers of the request.
Fix Recommendation
In MOSIP, each header value is sanitized and validated before use.

Scenario 22

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Attackers can try to use other user’s PRID to get their PII data(IDOR)
Risk Assessment
This is an example of horizontal privilege escalation. An attacker with a regular user access tries to get the data of another user.
Fix Recommendation
In MOSIP, horizontal privilege escalation is not possible, each request is accompanied with an unique cookie which an attacker does not have.

Scenario 23

Current Status
Severity
Risk
Known issue, not a vulnerability.
Medium
Medium
Description
An attacker can try privilege escalation attacks.
Risk Assessment
In privilege escalation attacks an attacker already has user access and then tries to get admin access. They can try to add extra roles in tokens or use possible admin username and passwords.
Fix Recommendation
In MOSIP, all roles are provided and secured by KeyCloak and each token is validated before use, hence no privilege escalation attacks are probable.

Scenario 24

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Absence of x-content –type header
Risk Assessment
The HTTP 'X-Content-Type-Options' response header prevents the browser from MIME-sniffing a response away from the declared content-type.
Fix Recommendation
In MOSIP, X-content type header is added to configuration to mitigate the vulnerability.

Scenario 25

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Weak ciphers can be decrypted and used for data stealing
Risk Assessment
When the used cipher is weak ,it usually tends to fall short in front of brute-force attacks and that leads to data leakage.
Fix Recommendation
In MOSIP we have used hardened ciphers which are highly impossible to break even with sophisticated tools.

Scenario 26

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
Without a CSP(content security Policy) a program is never very secure
Risk Assessment
The primary benefit of CSP is preventing the exploitation of cross-site scripting vulnerabilities. When an application uses a strict policy, an attacker who finds an XSS bug will no longer be able to force the browser to execute malicious scripts on the page
Fix Recommendation
In MOSIP, we have CSP set in our ngnix configurations along with many other properties to harden our server configuration.

Scenario 27

Current Status
Severity
Risk
Fixed
Medium
Medium
Description
The pre-registration zip file might cause buffer overload
Risk Assessment
In the registration client, we have an option to import data from preregistered PRIds, which are multiple zip files. If the size and content of the zip files are not regulated, it may lead to buffer overload among other problems.
Fix Recommendation
To mitigate this we have configure a limit of, 1.size of zip file 2.maximum no of files allowed inside a zip 3.The maximum allowed ratio of files and their resultant zip files.