Security Test Report

Overview

This report contains all the security bugs that were identified in various MOSIP modules. This is a combination of both web application and API related security testing scenarios.

Timeline

This report is prepared based on the security testing performed on the 1.2.0 version of MOSIP.

Setup detail

For testing the modules we have used state of the art security testing tools such as Burpsuite Professional, owasp ZED attack proxy, wireguard and other Linux tools.

Web application details

In MOSIP we have three modules that have web-based UI interfaces. These modules are Preregistration, Administration and Partner-management-Portal. All three have been tested thoroughly.

API Details

All other modules in MOSIP do not have any web-based interface and these modules communicate with each other using APIs. The details of the APIs in MOSIP 1.2.0 are available here.

Summary of the findings by severity

Web Security Vulnerability Snapshot

SeverityCount

High

0

Medium

18

Low

8

Information

0

Total

26

Detailed Findings

Scenario 1

Current StatusSeverityRisk

Fixed

Medium

Low

Description

An attacker can steal a JWT cookie from the browser and try to extract any personal information that is available there. 1. Install cookie manager plugin in any browser 2. Login into the application and click cookie manager 3. Select JWT for current page 4. Copy the JWT and go to jwt.io website to decode the token 5. Check if any sensitive information is disclosed in the token's payload as this is mostly base64 encoded

Risk Assessment

For authentication and authorization in MOSIP we use JWT tokens. If any PII data is shared in the token, it would be considered a data breach.

Fix Recommendation

No PII data should be shared in the token.

Scenario 2

Current StatusSeverityRisk

Fixed

Medium

Low

Description

Attacker can steal JWT cookie from the browser and crack the JWT secret key 1. Get the JWT token using the cookie manager plugin 2. Run an automated tool to crack the JWT token and check if you can break the security key if the security key is weak

Risk Assessment

For authentication and authorization in MOSIP we use JWT tokens. If the token is broken, the secret key can be revealed as well as other important data can be exploited.

Fix Recommendation

A very strong and random secret key should be used and it should be changed at regular intervals.

Scenario 3

Current StatusSeverityRisk

Fixed

Low

Low

DescriptionSession was not getting invalidated after logout

Risk Assessment

If a session doesn't get invalidated after calling the logout API, then the risk of any attacker taking over the session becomes high.

Fix Recommendation

The session must be invalidated as soon as the user calls the logout API. After the token gets invalidated, all the access for the token should be removed.

Scenario 4

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAttacker can bypass authentication using SQL injection or LDAP injection. Sometimes due to insufficient data sanitation and testing, attackers can break in. This has a very high security risk.

Risk Assessment

If an attacker bypasses authentication, then a lot of other vulnerabilities can be exploited by the attacker.

Fix Recommendation

In our modules, we don’t use username and password externally, hence this is inapplicable.

Scenario 5

Current StatusSeverityRisk

Known issue, not a vulnerability

Medium

Medium

DescriptionAn attacker can monitor the request and response and change the request parameters. If an attacker uses certain proxy tools, he/she will be able to monitor the requests and responses of certain users in the network.

Risk Assessment

It allows the PII data of an individual to be leaked. It can also lead to generation of faulty data and incomplete profiles.

Fix Recommendation

Most of the data should be sent in an encrypted manner.

Scenario 6

Current StatusSeverityRisk

Known issue, not a vulnerability

Medium

Low

DescriptionAn attacker can overload the system by sending thousands of requests

Risk Assessment

A denial of service (DoS) attack can take place if an attacker uses a tool to send thousands of requests each minute, which may cause server to crash or be inefficient.

Fix Recommendation

There should be a limit on number of times an user can send a request, and there must be blacklisting method for disabling users who are sending too many requests.

Scenario 7

Current StatusSeverityRisk

Known issue, not a vulnerability

Low

Low

DescriptionAn attacker can try a dictionary attack or a brute force method to get the userId and password.

Risk Assessment

With a sophisticated tool an attacker can try to brute force through the initial login page. If he is successful, He will be able to further attack all the available options that an admin has.

Fix Recommendation

The passwords have to be strong and authentication should not allow numerous attempts.

Scenario 8

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAn attacker can put XSS scripts that will be executed on victims browser

Risk Assessment

If an attacker gets through admin login, he will be able to use malicious scripts through the UI and can take over the server.

Fix Recommendation

All inputs by user’s should be considered as potentially dangerous and must pass through sanity. It should always be treated as text and not scripts. In mosip we use anti-xss configuration as well.

Scenario 9

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAn attacker can try to upload malicious files

Risk Assessment

Malicious file upload can be a considered one of the high risk attacks. An attacker can create a malicious file with script sin the file name or scripts hidden inside the meta data of the file and the server may execute it.

Fix Recommendation

In admin portal there are two types of uploads ".CSV" and ".csr". Both of these inputs are sanitized and are validated before being used by the code.

Scenario 10

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAttackers can try Null Byte upload or try to change the file extension.

Risk Assessment

If Null byte injected payloads get through and get executed, there is a good chance malicious files can be uploaded, may even lead to RCE.

Fix Recommendation

Sanitation of every input is done thoroughly, all the filenames and extensions are whitelisted and checked before being used.

Scenario 11

Current StatusSeverityRisk

Fixed

Low

Medium

DescriptionAn attacker can try to attempt to upload oversized files to cause buffer overload.

Risk Assessment

If buffer overload attacks are tried and are successful it can lead to server crashing and can cause issues with the day to day operation of the project.

Fix Recommendation

In MOSIP,the size limit is set to 4 Megabytes, which is configurable and hence buffer overload threat is mitigated.

Scenario 12

Current StatusSeverityRisk

Known Issue

Low

Medium

DescriptionAn attackers can try different methods to expose the used server name and version. It is otherwise known as banner grabbing.

Risk Assessment

Banner grabbing is not a direct vulnerability however it may lead attackers to try newly exposed vulnerability of software or framework that has not been patched yet.

Fix Recommendation

In MOSIP, configurations have been changed and updated so that these values are not accessible to external users. The patches are also updated regularly.

Scenario 13

Current StatusSeverityRisk

Known Issue

Medium

Medium

DescriptionAttackers can try path traversal/Directory Traversal attacks.

Risk Assessment

If path traversal is allowed the attacker will try to find any important files through adding ../../ to the url in the request.

Fix Recommendation

In MOSIP, path traversal is not allowed and all files are secured robustly. We use server configurations to sanitize the URLs.

Scenario 14

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAttackers can try CSRF attacks

Risk Assessment

A CSRF or a Cross Site Request Forgery is a very dangerous vulnerability. In a CSRF attack an attacker can send a malicious link to an authentic user and if the website is susceptible to CSRF attack then it will allow the attacker to steal the token of the user and access to the server.

Fix Recommendation

CSRF is blocked in MOSIP, using anti-CSRF configurations.

Scenario 15

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAttackers can try CORS attacks

Risk Assessment

CORS or Cross Origin Resource Sharing is equally dangerous. It allows external users to have access to resources that only intended user should have access to.

Fix Recommendation

CORS is also blocked in mosip using anti-CORS configurations.

Scenario 16

Current StatusSeverityRisk

Known Issue, not a vulnerability.

Low

Medium

DescriptionAttackers can try header manipulation attacks

Risk Assessment

In a Header manipulation attack an attacker changes the headers of the requests to see if it shows any values or errors in response. Without right validation these Headers can cause unwanted changes in DB and Server.

Fix Recommendation

In MOSIP, each request is whitelisted with only the one header it is required to have and manipulating header values will

Scenario 17

Current StatusSeverityRisk

Known Issue, not a vulnerability.

Low

Medium

DescriptionAn attacker with access to admin UI can try to upload incorrect certificates.

Risk Assessment

The certificates are key to establishing the trust chain among various modules in MOSIP. If an incorrect certificate gets through and replaces a valid one, it may cause the module to stop working all together.

Fix Recommendation

In MOSIP, we require a specific format to upload certificates and before accepting any certificate we match the public key modulus of the certificates.

Scenario 18

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAttackers can try request smuggling attacks.

Risk Assessment

Request smuggling although uncommon is still a very dangerous vulnerability. In request smuggling we send multiple packets of data in quick succession to try and deceive the server and use the incorrect packet of data.

Fix Recommendation

In MOSIP,we do not allow any external header and all the input are sanitized before being used by the server.

Scenario 19

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAttackers can try XXE injection attacks

Risk Assessment

XXE injections are used by attackers to input payloads into the logic of an XML application.

Fix Recommendation

The inputs are robustly sanitized before use and also special characters are not allowed in every field,to minimize risk.

Scenario 20

Current StatusSeverityRisk

Known issue, not a vulerability

Low

Medium

DescriptionAttackers can try to spoof /change biometric data or confidential data

Risk Assessment

If an attacker is able to successfully spoof or change the data of a person, then he/she would be able to make unwanted changes in the database.

Fix Recommendation

In MOSIP, each piece of data goes through multiple layers if encryption/decryption and signature validation. Hence, any spoofed or changed data will be invalid.

Scenario 21

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAn attacker can try double host header attacks

Risk Assessment

The double host header or multiple header attack allows the attacker to send malicious data or website links in the headers of the request.

Fix Recommendation

In MOSIP, each header value is sanitized and validated before use.

Scenario 22

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAttackers can try to use other user’s PRID to get their PII data(IDOR)

Risk Assessment

This is an example of horizontal privilege escalation. An attacker with a regular user access tries to get the data of another user.

Fix Recommendation

In MOSIP, horizontal privilege escalation is not possible, each request is accompanied with an unique cookie which an attacker does not have.

Scenario 23

Current StatusSeverityRisk

Known issue, not a vulnerability.

Medium

Medium

DescriptionAn attacker can try privilege escalation attacks.

Risk Assessment

In privilege escalation attacks an attacker already has user access and then tries to get admin access. They can try to add extra roles in tokens or use possible admin username and passwords.

Fix Recommendation

In MOSIP, all roles are provided and secured by KeyCloak and each token is validated before use, hence no privilege escalation attacks are probable.

Scenario 24

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionAbsence of x-content –type header

Risk Assessment

The HTTP 'X-Content-Type-Options' response header prevents the browser from MIME-sniffing a response away from the declared content-type.

Fix Recommendation

In MOSIP, X-content type header is added to configuration to mitigate the vulnerability.

Scenario 25

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionWeak ciphers can be decrypted and used for data stealing

Risk Assessment

When the used cipher is weak ,it usually tends to fall short in front of brute-force attacks and that leads to data leakage.

Fix Recommendation

In MOSIP we have used hardened ciphers which are highly impossible to break even with sophisticated tools.

Scenario 26

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionWithout a CSP(content security Policy) a program is never very secure

Risk Assessment

The primary benefit of CSP is preventing the exploitation of cross-site scripting vulnerabilities. When an application uses a strict policy, an attacker who finds an XSS bug will no longer be able to force the browser to execute malicious scripts on the page

Fix Recommendation

In MOSIP, we have CSP set in our ngnix configurations along with many other properties to harden our server configuration.

Scenario 27

Current StatusSeverityRisk

Fixed

Medium

Medium

DescriptionThe pre-registration zip file might cause buffer overload

Risk Assessment

In the registration client, we have an option to import data from preregistered PRIds, which are multiple zip files. If the size and content of the zip files are not regulated, it may lead to buffer overload among other problems.

Fix Recommendation

To mitigate this we have configure a limit of, 1.size of zip file 2.maximum no of files allowed inside a zip 3.The maximum allowed ratio of files and their resultant zip files.

Last updated

Copyright © 2021 MOSIP. This work is licensed under a Creative Commons Attribution (CC-BY-4.0) International License unless otherwise noted.

#300: Mock Services -1st draft

Change request updated