VAPT Report-uKnowva 2.4.4

  • Print

The uKnowva Testing Team conducted an in-depth testing of uKnowva 2.4.4 for all OWASP vulnerabilities. This document contains the details of the testing conducted. All those vulnerabilities, along with the new ones in the latest version have been successfully fixed. The report provides a detailed explanation of the vulnerabilities as listed by OWASP along with their current status in this version of uKnowva.

This is a confirmatory document that uKnowva is VAPT tested and is immune to the major vulnerabilities listed by the OWASP project.

OWASP Top 10 Vulnerability Status

Vulnerability

Vulnerability Impact

Test Result

A1 – Injection: Injection flaws occur when an application sends untrusted data to an interpreter. Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

Severe

Pass

A2 – Broken Authentication and Session Management: Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

Severe

Pass

A3 – Cross Site Scripting (XSS): XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

Moderate

Pass

A4 – Insecure Direct Object Reference: Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Such flaws can compromise all the data that can be referenced by the parameter. Unless object references are unpredictable, it’s easy for an attacker to access all available data of that type.

Moderate

Pass

A5 - Security Misconfiguration: Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time.

Moderate

Pass

A6 - Sensitive Data Exposure: The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc.

Severe

Pass

A7 – Missing Function Level Access Control: Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget. Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack. Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.

Moderate

Pass

A8 – Cross site Request Forgery (CSRF): CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases, logout and even login.

Moderate

Pass

A9 – Using Components with known Vulnerabilities: Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise.

Moderate

Pass. uKnowva uses components and extensions that have been thoroughly tested for flaws and vulnerabilities. We have made sure that we have fixed/removed all flaws of all the components that we have used.

A10 – Unvalidated Redirects and Forwards: Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page. Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass.

Moderate

Pass

 

Download the complete report here.