This report contains all the security bugs that were identified in various MOSIP modules. This is a combination of both web application and API related security testing scenarios.
This report is prepared based on the security testing performed on the 1.2.0 version of MOSIP.
For testing the modules we have used state of the art security testing tools such as Burpsuite Professional, owasp ZED attack proxy, wireguard and other Linux tools.
In MOSIP we have three modules that have web-based UI interfaces. These modules are Preregistration, Administration and Partner-management-Portal. All three have been tested thoroughly.
All other modules in MOSIP do not have any web-based interface and these modules communicate with each other using APIs. The details of the APIs in MOSIP 1.2.0 are available here.
Web Security Vulnerability Snapshot
| Severity | Count |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Session was not getting invalidated after logout |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attacker can bypass authentication using SQL injection or LDAP injection. Sometimes due to insufficient data sanitation and testing, attackers can break in. This has a very high security risk. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can monitor the request and response and change the request parameters. If an attacker uses certain proxy tools, he/she will be able to monitor the requests and responses of certain users in the network. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can overload the system by sending thousands of requests |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can try a dictionary attack or a brute force method to get the userId and password. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can put XSS scripts that will be executed on victims browser |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can try to upload malicious files |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try Null Byte upload or try to change the file extension. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can try to attempt to upload oversized files to cause buffer overload. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attackers can try different methods to expose the used server name and version. It is otherwise known as banner grabbing. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try path traversal/Directory Traversal attacks. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try CSRF attacks |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try CORS attacks |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try header manipulation attacks |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker with access to admin UI can try to upload incorrect certificates. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try request smuggling attacks. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try XXE injection attacks |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try to spoof /change biometric data or confidential data |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can try double host header attacks |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Attackers can try to use other user’s PRID to get their PII data(IDOR) |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | An attacker can try privilege escalation attacks. |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Absence of x-content –type header |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Weak ciphers can be decrypted and used for data stealing |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | Without a CSP(content security Policy) a program is never very secure |
|---|---|
| Current Status | Severity | Risk |
|---|---|---|
| Description | The pre-registration zip file might cause buffer overload |
|---|---|
High
0
Medium
18
Low
8
Information
0
Total
26
Fixed
Medium
Low
Description
An attacker can steal a JWT cookie from the browser and try to extract any personal information that is available there. 1. Install cookie manager plugin in any browser 2. Login into the application and click cookie manager 3. Select JWT for current page 4. Copy the JWT and go to jwt.io website to decode the token 5. Check if any sensitive information is disclosed in the token's payload as this is mostly base64 encoded
Risk Assessment
For authentication and authorization in MOSIP we use JWT tokens. If any PII data is shared in the token, it would be considered a data breach.
Fix Recommendation
No PII data should be shared in the token.
Fixed
Medium
Low
Description
Attacker can steal JWT cookie from the browser and crack the JWT secret key 1. Get the JWT token using the cookie manager plugin 2. Run an automated tool to crack the JWT token and check if you can break the security key if the security key is weak
Risk Assessment
For authentication and authorization in MOSIP we use JWT tokens. If the token is broken, the secret key can be revealed as well as other important data can be exploited.
Fix Recommendation
A very strong and random secret key should be used and it should be changed at regular intervals.
Fixed
Low
Low
Risk Assessment
If a session doesn't get invalidated after calling the logout API, then the risk of any attacker taking over the session becomes high.
Fix Recommendation
The session must be invalidated as soon as the user calls the logout API. After the token gets invalidated, all the access for the token should be removed.
Fixed
Medium
Medium
Risk Assessment
If an attacker bypasses authentication, then a lot of other vulnerabilities can be exploited by the attacker.
Fix Recommendation
In our modules, we don’t use username and password externally, hence this is inapplicable.
Known issue, not a vulnerability
Medium
Medium
Risk Assessment
It allows the PII data of an individual to be leaked. It can also lead to generation of faulty data and incomplete profiles.
Fix Recommendation
Most of the data should be sent in an encrypted manner.
Known issue, not a vulnerability
Medium
Low
Risk Assessment
A denial of service (DoS) attack can take place if an attacker uses a tool to send thousands of requests each minute, which may cause server to crash or be inefficient.
Fix Recommendation
There should be a limit on number of times an user can send a request, and there must be blacklisting method for disabling users who are sending too many requests.
Known issue, not a vulnerability
Low
Low
Risk Assessment
With a sophisticated tool an attacker can try to brute force through the initial login page. If he is successful, He will be able to further attack all the available options that an admin has.
Fix Recommendation
The passwords have to be strong and authentication should not allow numerous attempts.
Fixed
Medium
Medium
Risk Assessment
If an attacker gets through admin login, he will be able to use malicious scripts through the UI and can take over the server.
Fix Recommendation
All inputs by user’s should be considered as potentially dangerous and must pass through sanity. It should always be treated as text and not scripts. In mosip we use anti-xss configuration as well.
Fixed
Medium
Medium
Risk Assessment
Malicious file upload can be a considered one of the high risk attacks. An attacker can create a malicious file with script sin the file name or scripts hidden inside the meta data of the file and the server may execute it.
Fix Recommendation
In admin portal there are two types of uploads ".CSV" and ".csr". Both of these inputs are sanitized and are validated before being used by the code.
Fixed
Medium
Medium
Risk Assessment
If Null byte injected payloads get through and get executed, there is a good chance malicious files can be uploaded, may even lead to RCE.
Fix Recommendation
Sanitation of every input is done thoroughly, all the filenames and extensions are whitelisted and checked before being used.
Fixed
Low
Medium
Risk Assessment
If buffer overload attacks are tried and are successful it can lead to server crashing and can cause issues with the day to day operation of the project.
Fix Recommendation
In MOSIP,the size limit is set to 4 Megabytes, which is configurable and hence buffer overload threat is mitigated.
Known Issue
Low
Medium
Risk Assessment
Banner grabbing is not a direct vulnerability however it may lead attackers to try newly exposed vulnerability of software or framework that has not been patched yet.
Fix Recommendation
In MOSIP, configurations have been changed and updated so that these values are not accessible to external users. The patches are also updated regularly.
Known Issue
Medium
Medium
Risk Assessment
If path traversal is allowed the attacker will try to find any important files through adding ../../ to the url in the request.
Fix Recommendation
In MOSIP, path traversal is not allowed and all files are secured robustly. We use server configurations to sanitize the URLs.
Fixed
Medium
Medium
Risk Assessment
A CSRF or a Cross Site Request Forgery is a very dangerous vulnerability. In a CSRF attack an attacker can send a malicious link to an authentic user and if the website is susceptible to CSRF attack then it will allow the attacker to steal the token of the user and access to the server.
Fix Recommendation
CSRF is blocked in MOSIP, using anti-CSRF configurations.
Fixed
Medium
Medium
Risk Assessment
CORS or Cross Origin Resource Sharing is equally dangerous. It allows external users to have access to resources that only intended user should have access to.
Fix Recommendation
CORS is also blocked in mosip using anti-CORS configurations.
Known Issue, not a vulnerability.
Low
Medium
Risk Assessment
In a Header manipulation attack an attacker changes the headers of the requests to see if it shows any values or errors in response. Without right validation these Headers can cause unwanted changes in DB and Server.
Fix Recommendation
In MOSIP, each request is whitelisted with only the one header it is required to have and manipulating header values will
Known Issue, not a vulnerability.
Low
Medium
Risk Assessment
The certificates are key to establishing the trust chain among various modules in MOSIP. If an incorrect certificate gets through and replaces a valid one, it may cause the module to stop working all together.
Fix Recommendation
In MOSIP, we require a specific format to upload certificates and before accepting any certificate we match the public key modulus of the certificates.
Fixed
Medium
Medium
Risk Assessment
Request smuggling although uncommon is still a very dangerous vulnerability. In request smuggling we send multiple packets of data in quick succession to try and deceive the server and use the incorrect packet of data.
Fix Recommendation
In MOSIP,we do not allow any external header and all the input are sanitized before being used by the server.
Fixed
Medium
Medium
Risk Assessment
XXE injections are used by attackers to input payloads into the logic of an XML application.
Fix Recommendation
The inputs are robustly sanitized before use and also special characters are not allowed in every field,to minimize risk.
Known issue, not a vulerability
Low
Medium
Risk Assessment
If an attacker is able to successfully spoof or change the data of a person, then he/she would be able to make unwanted changes in the database.
Fix Recommendation
In MOSIP, each piece of data goes through multiple layers if encryption/decryption and signature validation. Hence, any spoofed or changed data will be invalid.
Fixed
Medium
Medium
Risk Assessment
The double host header or multiple header attack allows the attacker to send malicious data or website links in the headers of the request.
Fix Recommendation
In MOSIP, each header value is sanitized and validated before use.
Fixed
Medium
Medium
Risk Assessment
This is an example of horizontal privilege escalation. An attacker with a regular user access tries to get the data of another user.
Fix Recommendation
In MOSIP, horizontal privilege escalation is not possible, each request is accompanied with an unique cookie which an attacker does not have.
Known issue, not a vulnerability.
Medium
Medium
Risk Assessment
In privilege escalation attacks an attacker already has user access and then tries to get admin access. They can try to add extra roles in tokens or use possible admin username and passwords.
Fix Recommendation
In MOSIP, all roles are provided and secured by KeyCloak and each token is validated before use, hence no privilege escalation attacks are probable.
Fixed
Medium
Medium
Risk Assessment
The HTTP 'X-Content-Type-Options' response header prevents the browser from MIME-sniffing a response away from the declared content-type.
Fix Recommendation
In MOSIP, X-content type header is added to configuration to mitigate the vulnerability.
Fixed
Medium
Medium
Risk Assessment
When the used cipher is weak ,it usually tends to fall short in front of brute-force attacks and that leads to data leakage.
Fix Recommendation
In MOSIP we have used hardened ciphers which are highly impossible to break even with sophisticated tools.
Fixed
Medium
Medium
Risk Assessment
The primary benefit of CSP is preventing the exploitation of cross-site scripting vulnerabilities. When an application uses a strict policy, an attacker who finds an XSS bug will no longer be able to force the browser to execute malicious scripts on the page
Fix Recommendation
In MOSIP, we have CSP set in our ngnix configurations along with many other properties to harden our server configuration.
Fixed
Medium
Medium
Risk Assessment
In the registration client, we have an option to import data from preregistered PRIds, which are multiple zip files. If the size and content of the zip files are not regulated, it may lead to buffer overload among other problems.
Fix Recommendation
To mitigate this we have configure a limit of, 1.size of zip file 2.maximum no of files allowed inside a zip 3.The maximum allowed ratio of files and their resultant zip files.