Security is the most important part and a core feature of our application, but cyberattacks are on the rise these days and we want to ensure we offer our clients a secure solution for their data. Therefore, we have conducted an internal audit in which we focused on possible security vulnerabilities.
One of the ambassadors of security on the internet is the OWASP foundation (Open Web Application Security Project). Every once in a while it updates a widely recognized list of the top 10 vulnerabilities. We used this list as a template for our internal testing, which was performed in two phases:
- black box testing,
- white box testing.
Black box testing
The first part of the security audit was conducted without prior knowledge of the code over a running instance of the production application. The goal was to discover possible vulnerabilities through the eyes of an attacker and test possible attacks on the system. The tests started by exploring the API routes used on the front-end parts of the application, all parameters, and returned values.
Using a proxy, API responses were substituted for custom values to expose hidden or normally inaccessible parts of the application. We tested the application’s behavior and logging in case the application response is corrupted. The API was tested against the validation of user input, its size, and wrong or unexpected data formats. The focus of this part was mainly broken access control, cryptographic errors, possible injection, insecure design, and server-side request forgery.
White box testing
The second part of the security audit was performed by examining the source code, logs, libraries, and technologies used. In this part, we mainly focused on security misconfiguration, vulnerable and outdated components, logging, software, and data integrity failures.
It was verified that all the libraries that Passwd uses have their use cases and that the source code does not contain unnecessary and unused features in the production environment. We reviewed the configuration files and their possible settings. We reviewed all logs, checked their efficiency, and whether they contain any sensitive data.
During testing, no major vulnerabilities that could affect data integrity or compromise the application were discovered. Also, no cryptographic issues were found. However, we did discover several low-risk issues and we have fixed them immediately:
- one issue with admin role synchronization,
- one low vulnerability against XSS,
- one possible configuration improvement,
- two possible scalability issues,
- three issues with logging.
Based on the audit, unused parts of the source code and libraries were removed. We replaced old or unmaintained dependencies with maintained alternatives. Testing also resulted in two recommendations for application improvements in scalability and configuration, which our team is addressing. And, of course, this is not the end. We will continue to maintain the security of our application at the highest possible level.