Project Carnation - Application Penetration Test Report

Application Penetration Test Report
for Carnation – Web App
October 24, 2023

APPLICATION PENETRATION TEST REPORT
Table of Contents
Executive Summary 3
Company background 4
Assumptions and Constraints 4
Objectives and scope 5
Findings rating methodology 6
Application rating methodology 7

Findings summary 8
Conclusion 8
Project team 8
Detailed Analysis and Breakdown 9
Detailed conclusion 9
Detailed findings table 10

Reconnaissance 10
Finding details 11
Methodology 36
Tools and technology 36
Goals and objectives 36
Proprietary and confidential information. © 2023 Crosslake Technologies. 2

Executive Summary
CancerLinQ, a subsidiary of ASCO, is a mission-driven, non-profit health technology company with a goal of
improving quality of care, improving health outcomes for all patients with cancer, and advancing evidence-
based research. CancerLinQ contracted with Crosslake to perform a web application-oriented penetration test
against a defined environment to assist in discovering flaws and weaknesses. Testing was performed per
industry best practices and focused upon the Open Web Application Security Project’s (OWASP) top
vulnerabilities, which represent industry consensus on the most critical security risks to web applications along
with general security best practices testing. The test against the client-provided environment occurred between
October 19, 2023, and October 24, 2023.
The purpose of this test was to perform an application level, authenticated assessment of an environment
emulating the internet-facing equivalent hosts provided as part of the scope of this engagement, with the goal
to evaluate existing security controls and measures, and to provide recommendations for improvement. Based
on this objective, Crosslake has concluded that some issues exist, and the CancerLinQ application received an
overall grade of C. We have identified areas of improvement and recommend that CancerLinQ formulates a
remediation plan to mitigate findings uncovered during the assessment.
Overall grade:

Company background
Crosslake provides the expertise you need to enhance your security posture, reduce your risk, and facilitate
compliance efforts. Our team of practitioners are seasoned, highly-certiﬁed security and compliance veterans
committed to customer success and ensuring that our customers’ security and compliance goals are met or
exceeded. Our services span the spectrum of information security and compliance, from security strategy and
governance to technical testing and compliance readiness. Our many years of experience and sole focus on
client success make us a valuable partner for any company.
Crosslake was founded in 2008 by an original member of Microsoft’s Engineering Excellence team with the
intent to help changemakers buy, build, and run technology that creates value. Crosslake’s unmatched
community of technical practitioners – former CTOs, CIOs, architects, and engineers – are skilled at translating
technology buzzwords into actionable, business-focused insight. Their seasoned judgement is supported by the
patented Corsis® platform, which leverages data from more than 3,500 prior technology M&A (Merger &
Acquisition) transactions to define objective, measurable TechIndicators® that private equity investors and
management teams rely upon to deliver strategic value creation initiatives and inform diligence.
Assumptions and Constraints
The project scope, as defined in the Statement of Work, outlines the depth of these evaluation activities. The
security assessment was conducted to be as thorough as possible. All scans were performed with “safe checks
enabled.” Potentially destructive tests, such as Denial of Service (DoS) attacks, were not performed. However,
given the nature of the security tests, system availability can be, and sometimes is, affected.
Manual testing was performed to provide a deep-dive analysis and validate automated scan results.
Nevertheless, some documented vulnerabilities may be false positives. Likewise, existing vulnerabilities may
not have been reported due to limitations in testing tools, time boundaries, deltas between the tested systems
and the production environment, and/or limitation in scope.
Crosslake believes the statements made in this document provide an accurate assessment of CancerLinQ’s
current security as it relates to the scope of the assessment. As environments change, and new vulnerabilities
are made public, an organization’s overall security posture will change. Such changes may affect the validity of
this assessment. Therefore, the findings described in this report describe a “snapshot” in time.

Objectives and scope
Prior to testing, CancerLinQ provided Crosslake with the application URL(s) and corresponding user
credentials. The scope of the penetration test was limited to the URL(s) provided, and other services running
on this specified host(s). The penetration test was conducted from two views. First, as an unauthenticated
attacker and second, as an authenticated user. The URLs (Uniform Resource Locator) provided are listed
below:
● https://app.qa.qa.cancerlinq.io/
Account Permissions granted
clq890+mcarmley@gmail.com Quality Manager
clq890+skombe@gmail.com Provider
Using a mixture of techniques and scanning tools, the URL(s) were assessed for occurrences of published top
vulnerabilities:
1. Injection 8. Missing function-level access control

2. Broken authentication 9. Insecure deserialization
3. Sensitive data exposure 10. Insufficient logging and monitoring
4. XML external entities (XXE) 11. Insecure direct object references
5. Broken access control 12. Cross-site request forgery (CSRF)
6. Security misconfigurations 13. Unvalidated redirects and forwards
7. Cross-site scripting (XSS) 14. Components with known vulnerabilities

Findings rating methodology
Crosslake determines the risk posed by vulnerabilities based on three main criteria: risk to users, risk to
infrastructure, and attack complexity.
Risk to users is how a vulnerability may impact users of the application and their data. Low-risk issues may
only affect single users or non-critical data, while high-risk vulnerabilities may easily compromise data on many
users, or extremely sensitive data, such as payment card information.
Risk to infrastructure measures the impact of a vulnerability to the hardware and network the application runs
on. Low-risk findings could involve service impacts given a large-scale denial of service attack, which
Crosslake would not simulate. High-risk vulnerabilities would include flaws that would allow an attacker to
execute code on the server, or an easily triggered denial of service condition.
Attack complexity gauges how difficult it would be for an attacker to execute an attack against users or
infrastructure. Some attacks require specific conditions be met for a successful attack, such as a certain
network posture, like the ability to man-in-the-middle a victim, or access to a prohibitively large amount of
computing resources. A higher attack complexity will lower the risk of a finding.
The overall risk rating for the finding is a sum of the above criteria to give an overall risk posed by the
vulnerability. This gives an at-a-glance indication of the risk posed to your organization to help easily
understand the issue and prioritize remediation efforts.

Application rating methodology
Current application risk: C
The application contains security flaws that require immediate remediation and pose a
severe risk to users or infrastructure. Vulnerabilities are easy to exploit over the network
and lead to significant compromise of user data or the ability to gain access to underlying
D infrastructure, without any form of authentication. Multiple vulnerabilities in the same
functionality of the application, or attacks that can be chained together may increase the
overall risk posed by the application.
High-risk applications contain security flaws which should receive priority attention. These
flaws can be directly exploited to attack users or infrastructure; however, some
constraints may impact the ease of attack. Authentication or a specific network posture
C may be necessary to exploit the vulnerabilities. Multiple vulnerabilities in the same
functionality of the application, or attacks that can be chained together may increase
the overall risk posed by the application.
Medium-risk applications do not contain major security flaws but may contain issues
which should be considered for remediation soon. Vulnerabilities may present limited
B vectors for attack or may pose significant difficulty for an attacker to successfully exploit.
Multiple vulnerabilities in the same functionality of the application, or attacks that can be
chained together may increase the overall risk posed by the application.
Low-risk applications present a limited attack surface and contain no significantly

A exploitable flaws; however, some security best practices may not be followed.
The application was found to contain no major security flaws and adheres strongly to
A+ industry best practices for security.

Findings summary
Severity Identified Remediated Remaining
Critical 0 0 0
High 1 0 1
Medium 4 0 4
Low 7 0 7
Informational 2 0 2
Totals 14 0 14
Conclusion
Crosslake has successfully completed the application assessment of the URL(s) defined in the scope. Overall,
Crosslake has found the security controls in place within scope of the assessment to contain significant gaps.
We recommend that you evaluate the issues contained in this report and implement a remediation plan. We
appreciate your assistance in making the assessment go smoothly, and we are grateful for the opportunity to
help CancerLinQ assess and improve its security posture.
Project team
The following team members were involved in this assessment:
Team Member Role Contact Information
Yash Sancheti Associate yashs@crosslaketech.com
Kerlyn Manyi Associate kerlynma@crosslaketech.com

Detailed Analysis and Breakdown

Detailed conclusion
Crosslake Technologies has successfully completed the application penetration test on the specified URL for
CancerLinQ and discovered various security vulnerabilities that require immediate attention.
We've identified multiple vulnerabilities across varying levels of severity in the application. Starting with high-
risk vulnerabilities, the application is subject to Broken Access Control. This means an attacker can manipulate
parameters to access unauthorized resources, posing a significant security risk.
On the medium-risk spectrum, we've found several issues that compromise the application's security but may
not immediately lead to severe consequences. Notably, the application does not scan uploaded files for
viruses, increasing the risk of malware infiltration. Additionally, the absence of multi-factor authentication and
poor session management practices could make it easier for attackers to compromise user accounts. Exposed
administrative interfaces are also a point of concern, as they can be easily targeted.
In the low-risk category, several vulnerabilities, such as vulnerable to clickjacking and the absence of specific
security headers like X-XSS-Protection, have been observed. Outdated JavaScript resources and missing
HTTP Strict Transport Security Headers also contribute to weakening the application's overall security posture.
Username enumeration adds another layer of potential risk. Also, access tokens are captured in URLs, which
could lead to potential security concerns if URLs are improperly handled or logged.
Lastly, for informational purposes, the application allows concurrent logins and exposes version details. While
these may not be vulnerabilities per se, they can provide attackers with additional information that may be
exploited in conjunction with other vulnerabilities.
It's important to note that this testing was done in a limited environment. We didn't have email access to the
credentials. The credentials provided were from a single organization, and they did not have the privilege to
view or switch to other organization users.
In summary, the assessment reveals that CancerLinQ needs urgent security enhancements to protect against
both high-impact and more nuanced vulnerabilities. We strongly recommend that a comprehensive remediation
plan be put into action immediately.
We recommend that CancerLinQ evaluate the issues contained in this report and implement a remediation
plan. We appreciate your assistance in making the assessment go smoothly, and we are grateful for the
opportunity to help CancerLinQ assess and improve its security posture.

Detailed findings table
Severity: HIGH
Issues ID# Description
1 Broken Access Controls
Severity: MEDIUM
2 Uploaded Files Are Not Virus Scanned
3 No Option for Multi-Factor Authentication
4 Exposed Administrative Interfaces
5 Unauthenticated Access and Session Management
Severity: LOW
6 Application Vulnerable to Clickjacking
7 Missing X-XSS-Protection Header
8 Application Does Not Define a Content Security Policy
9 Outdated JavaScript Resources
10 No HTTP Strict Transport Security Header
11 Username Enumeration
12 Access Token captured in URL
Severity: INFORMATIONAL
13 Concurrent Logins Allowed
14 Version Disclosure
Reconnaissance
Host IP Address Ports Session Cookie
app.qa.qa.cancerlinq.io/ 99.86.229.50 80/tcp, 443/tcp JSESSIONID

Finding details
Critical-risk findings
None.
Non

High-risk findings
Issue #1: Broken Access Controls
Attributes Overall Risk: High

User Risk: High
Infrastructure Risk: None
Attack Complexity: High
Description Broken Access Control vulnerabilities occur when an application provides direct
access to objects based on user-supplied input. This can allow an attacker to bypass
authorization and access resources directly, such as database records or files. In the
provided API endpoints, the id, ou_id, batchIds, files, name, and org_sender_name
parameters are vulnerable to IDOR attacks. An attacker can manipulate these
parameters to reference objects outside of their authorized scope. For example,
changing these values to that of another organization might work, and the application
doesn't properly validate the input, leading to this vulnerability.
Note: This vulnerability requires validation from another organization. The testing
was limited because access to credentials was available for only a single
organization.
Affected POST /api/quality/updateBatchFiles?batch=1: The id parameter is vulnerable.

Location
POST /api/quality/createQcpSubmission?batch=1: The ou_id parameter is
vulnerable.
POST /api/quality/updateBatchFileStatus?batch=1: The batchIds parameter is

vulnerable.
POST /api/quality/createJob,createJob?batch=1: The files array is vulnerable.
POST /api/quality/saveOrgUnit?batch=1: The name and org_sender_name

parameters are vulnerable.
POST /api/quality/saveOrgUnit?batch=1: The updated_by parameter is vulnerable.
POST /api/quality/downloadRulesPackage?batch=1: The name parameter is

vulnerable.

Evidence
POST /api/quality/updateBatchFiles?batch=1: The id parameter is vulnerable.
POST /api/quality/createQcpSubmission?batch=1: The ou_id parameter is

vulnerable.

POST /api/quality/updateBatchFileStatus?batch=1: The batchIds parameter is

vulnerable.
POST /api/quality/createJob,createJob?batch=1: The files array is vulnerable.

POST /api/quality/saveOrgUnit?batch=1: The updated_by and org_sender_name

parameter is vulnerable.
POST /api/quality/downloadRulesPackage?batch=1: The name parameter is

vulnerable.
Remediation Implement proper authorization checks to ensure that users can only update their
own organization's details. This can be done by verifying the user's identity and their
permissions before processing the request.
References • https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-
2017_A5-Broken_Access_Control

• https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.
html
• https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-
enforce-access-controls.html

Medium-risk findings
Issue #2: Uploaded Files Are Not Virus Scanned
Attributes Overall Risk: Medium

User Risk: Medium
Description The application provides the capability for users to upload files. However, uploaded
files are not scanned for viruses or malicious content, potentially allowing users to store
malware or other malicious files in the application.
During the engagement, Crosslake was able to upload the EICAR virus test file, which
is an innocuous file that will be flagged by virus scanners. It was possible to then
download the uploaded test file, indicating that no virus scanning is being performed by
the server.
Affected https://app.qa.qa.cancerlinq.io/api/quality/saveRulesPackage
Location

Evidence
The EICAR test file is uploaded to the server.
Remediation Enable virus scanning of all users uploaded files to reduce the risk of malicious files
being stored by the application.
References • https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/10-Business_Logic_Testing/09-
Test_Upload_of_Malicious_Files

Issue #3: No Option for Multi-Factor Authentication

User Risk: High
Attack Complexity: Medium
Description Multi-Factor Authentication, often referred to as MFA (Multi Factor Authentication) or

2FA (2 Factor Authentication), uses out-of-band communication such as an email or text
message as a secondary means of verifying a user’s identity. This means that even if a
user’s password is compromised, an attacker is unable to log into the account without
having access to the secondary authentication token.
While not all users and applications require MFA, Crosslake highly recommends
offering the option should a user choose to secure their account more strongly. It is also
worth considering requiring MFA for sensitive applications or privileges, such as users
with administrator rights.
Affected https://app.qa.qa.cancerlinq.io
Location
Remediation Integrate an MFA solution to the application to give users the option of enabling MFA to
secure their account. This can include a code sent via SMS message or email, or
purpose-built solutions such as an RSA token generator.
References • https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Ch
eat_Sheet.html

Issue #4: Exposed Administrative Interfaces

User Risk: High
Description The okta admin console and a User Portal were discovered. Exposing organizational
administrative functionality to the internet provides attackers with high value targets that
are more worth the effort to exploit compared to many other web services.
If compromised, an attacker could make configuration changes that could potentially

allow them to exploit the device, change security settings, attack other users, and
potentially gain a foothold into the internal network.
Where possible, limit access to administrative interfaces to the internal network only.
Affected https://cancerlinq-
Location admin.oktapreview.com/admin/app/oidc_client/instance/0oa1qre6t7f1qTFoU0h8#tab-
general
https://remote.cancerlinq.org/
Evidence
An okta admin interface is accessible from the internet.

An administrative interface is accessible from the internet.
Remediation Administrative functionality should be hosted internally and not exposed directly to the
internet. If users require remote access to these tools, they require a VPN (Virtual
Private Network) connection.
References • https://github.com/OWASP/DevGuide/blob/master/04-
OperationalSecurity/Administrative-Interfaces.md
• https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-
2017_A6-Security_Misconfiguration
• https://www.cvedetails.com/vulnerability-list/vendor_id-10/product_id-7244/HP-
System-Management-Homepage.html
• https://www.cvedetails.com/vulnerability-list/vendor_id-16/product_id-
9863/Cisco-Unified-Communications-Manager.html

Issue #5: Unauthenticated Access and Session Management

User Risk: High
Description The application allows users to be automatically logged into the atroposportal when they click on
a specific link, even if they are not currently logged into the atroposportal. This link seems to work
for any account and does not expire. The URL is:
https://okta.cancerlinq.io/home/cancerlinq_atroposportal_1/0oa1b5py1vtP5jo7X0h8/aln1b5q2um6
5MzcIE0h8.
Affected https://okta.cancerlinq.io/home/cancerlinq_atroposportal_1/0oa1b5py1vtP5jo7X0h8/aln1b5q2um6
Location 5MzcIE0h8
Test Method Open an incognito window or a different browser where you are not logged into the atroposportal.
Log into https://app.qa.qa.cancerlinq.io/ (You must be logged in to execute the next step).
Paste the URL

(https://okta.cancerlinq.io/home/cancerlinq_atroposportal_1/0oa1b5py1vtP5jo7X0h8/aln1b5q2um
65MzcIE0h8) into the address bar and hit enter.
Observe that you are automatically logged into the atroposportal.
Remediation To fix this issue, the application should implement proper checks and controls for URL redirection
and session management. The link should only work for a specific user and should expire after a
certain period of time or after it has been used. Additionally, the application should not
automatically log users into the atroposportal when they click on a link, especially if they are not
currently logged in.

Low-risk findings
Issue #6: Application Vulnerable to Clickjacking
Attributes Overall Risk: Low

User Risk: Medium
Description With clickjacking, attackers cause users to act with an application by loading the
application’s user interface in the background of an attacker-controlled page, using an
inline frame and selectively passing actions, like mouse clicks, keystrokes, etc., to the
target page with in the application.
This is similar in effect to Cross-Site Request Forgery (CSRF) but more difficult to
exploit, because it requires user interaction, and for the user to not notice the incorrect
browser URL. Typically, attackers will try a clickjacking attack when the application
prevents CSRF.
Affected https://app.qa.qa.cancerlinq.io
Location
Evidence
A proof of concept loads the login page in an iframe.
Remediation The “X-Frame-Options” header is the standard defense against clickjacking. Modern
browsers honor this header to block malicious framing. If this header is set to “DENY”,
browsers are instructed not to load the page if it is embedded in a frame; if set to
“SAMEORIGIN”, the page allows framing only by sites in the same domain.

However, “X-Frame-Options” header is not honored by some older browsers, including

Internet Explorer 7. If support for such browsers must be provided, JavaScript code can
be used to force them to load pages unframed or not at all.
References • https://owasp.org/www-community/attacks/Clickjacking
• https://kennel209.gitbooks.io/owasp-testing-guide-
v4/content/en/web_application_security_testing/testing_for_clickjacking_otg
-client-009.html
• https://owasp.org/www-project-secure-headers/

Issue #7: Missing X-XSS-Protection Header

User Risk: Medium
Description The application does not include an “X-XSS-Protection” header in server responses.
The “X-XSS-Protection” header enables the browser’s built-in XSS filter even if it has
been previously disabled.
While this header will not prevent all XSS attacks, it makes both finding and exploiting
these attacks more difficult, and in many cases will prevent XSS attacks even if they
exist.
Affected https://app.qa.qa.cancerlinq.io/api/
Location https://app.qa.qa.cancerlinq.io/
Evidence
The application does not include an “X-XSS-Protection” header.
Remediation Include the following header in all server responses:

X-XSS-Protection: 1
References • https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Preventi
on_Cheat_Sheet.html

Issue #8: Application Does Not Define a Content Security Policy

User Risk: Medium
Description The application does not include a "Content-Security-Policy" (CSP) header in

responses. The inclusion of this HTTP header lets the application define a whitelist of
trusted sources and or source types from which the browser can include as content.
A CSP header can reduce the impact of attacks such as Cross-Site Scripting by
preventing an attacker from utilizing malicious JavaScript code hosted on another
domain.
Evidence
The server does not include a CSP header in responses.
Remediation Configure the server to include a “Content-Security-Policy” HTTP header in responses:
Content-Security-Policy: default-src self;

The above example CSP header will provide basic protections, but the header can
restrict or allow several diverse sources and source types. Further documentation can
be found listed in the references section below.
References • https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Che
at_Sheet.html
• https://www.w3.org/TR/CSP/
• https://www.html5rocks.com/en/tutorials/security/content-security-policy/

Issue #9: Outdated JavaScript Resources

User Risk: Low
Description The application includes an outdated version of the jQuery JavaScript library. This
library contains known vulnerabilities, and it is recommended to update to the latest
version. While Crosslake was not able to exploit this library, changes to the application
or a more dedicated attacker could discover a way to exploit vulnerable functions. The
application was found to use the following vulnerable library:
jQuery: 1.12.4
Affected https://okta.cancerlinq.io/oauth2/aus11ji6xs2wewSvF0h8/v1/logout?id_token_hint=token
Location &post_logout_redirect_uri=https%3A%2F%2Fapp.qa.qa.cancerlinq.io%2Flogout
Evidence
An outdated version of jQuery is used by the application.
Remediation Update the above JavaScript libraries to their latest version.
References • https://owasp.org/www-project-top-ten/2017/A9_2017-
Using_Components_with_Known_Vulnerabilities
• https://cwe.mitre.org/data/definitions/1104.html

Issue #10: No HTTP Strict Transport Security Header

User Risk: Medium
Attack Complexity: Low
Description The application does not include an HSTS header. An application enables HSTS by
returning an HTTP response header that instructs users’ browsers to only interact with
the site using secure transport methods. HSTS is supported by all modern browsers.
Strict Transport Security helps defend against man-in-the-middle attacks that cause
users to visit the site using an unencrypted connection. For example, if a user types the
website hostname without ’https,’ or instead uses ‘http,’ into their browser, the browser
will initially make an unencrypted connection on port 80. Under normal circumstances,
the site will redirect the user to the HTTPS version of the site. However, an attacker
able to modify traffic could prevent the redirect from occurring, forcing the user to use
the unencrypted site. Additionally, the initial request to the site could include confidential
information such as cookies, allowing an attacker to impersonate the user.
Evidence
The server does not include an HSTS header.

Remediation Configure the server to always send the “Strict-Transport-Security” HTTP header on
HTTPS connections:
Strict-Transport-Security: max-age=31536000; includeSubDomains
(The max-age parameter is in seconds; the value given above is equivalent to one
year.)
Note that the “Strict-Transport-Security” header is ignored by browsers when sent over
HTTP. It must be sent over HTTPS connections.
Additionally, to protect users’ initial connections to domains used by the application,

consider submitting domains to the HSTS preload list at https://hstspreload.org/.
References • https://owasp.org/www-project-web-security-testing-guide/v41/4-
Web_Application_Security_Testing/02-
Configuration_and_Deployment_Management_Testing/07-
Test_HTTP_Strict_Transport_Security

Issue #11: User Enumeration

User Risk: Medium
Description The application returns an error message when a login attempt fails due to an incorrect
username and password combination. The exact error message returned varies
depending on whether the submitted username exists or not.
An attacker can use this information to brute force usernames and determine which
usernames exist on the system. This can give an attacker information on what
accounts may be possible to compromise and can also leak PII if the username is also
the user’s email address or contains their real name.
Affected https://www.cancerlinq.org/user/
Location
Evidence
An error message indicates whether an account for the given username exists.
Remediation Use a generic error message to state the login attempt failed. This error message
should not change based on whether the username exists or not.
References • https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.h
tml
• https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
Issue #12: Session Token found in URL

Attribu Overall Risk: Low

tes User Risk: Medium
Descri During the final steps of authentication, the browser sends the Authorization token in the
ption “id_token_hint” GET parameter. URLs are stored in a variety of locations such as the user’s
browser, access logs on the server, and by any proxies that may have handled the request.
If an attacker compromises any of these sources, it may be possible to hijack a user’s active
session. Depending on the compromised source, such as a proxy, multiple users could be at
risk.
This mainly happens when you login using the provider account.
Affecte https://okta.cancerlinq.io/oauth2/aus11ji6xs2wewSvF0h8/v1/logout?id_token_hint=eyJraWQ[…]
d &redirect_uri=https%3A%2F%2Fapp.qa.qa.cancerlinq.io%2Flogout
Locatio
n
Eviden
ce
The API session token is sent in the URL via the id_token parameter.
Remed Do not send sensitive information as a GET URL parameter. Sensitive data should be sent as a
iation POST parameter to avoid getting cached or stored by browsers, proxies, or logs. Authentication
information should be set as a cookie or HTTP header.
Refere https://owasp.org/www-
nces community/vulnerabilities/Information_exposure_through_query_strings_in_url

Informational findings
Issue #13: Concurrent Logins Allowed
Attributes Overall Risk: Informational

User Risk: Indirect
Description The application permits multiple valid session tokens. Maintaining multiple valid
sessions for a user may result in concurrency faults that could arise when records within
the application are updated simultaneously by different active sessions. This could
result in inconsistent data, exceptions, and may result in a loss of logged illegitimate
activity on a compromised account, if legitimate activity is taking place at the same time.
Additionally, users are less likely to notice that their accounts have been compromised.
They may also be more likely to share accounts that permit concurrent login sessions.
Additionally, there may be data integrity problems due to multiple simultaneous logins.
Affected https://app.qa.qa.cancerlinq.io/
Location
Remediation Invalidate old, still existing session tokens when the user logs in. The user should be
notified upon login that their previous session existed, and users of the old sessions
should be notified that the sessions have been invalidated due to another login. Users
should have security-relevant actions available to them (change password, report
account compromise) if they do not recognize the other logins.
References • https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_
Sheet.html

Issue #14: Version Disclosure
Attributes Overall Risk: Informational

User Risk: Indirect
Description Crosslake found that some webservers included application banners which include
version information. These server banners can help an attacker fingerprint server
applications and easily search for vulnerable servers when novel attacks are
discovered. While there is no specific vulnerability related to this finding, Crosslake
recommends disabling server banners.
It should be noted that despite the lack of a direct vulnerability, a server divulging
version information such as this goes against PCI recommendations.
Affected https://www.cancerlinq.org/module/contrib/webform/css
Location https://app.qa.qa.cancerlinq.io/patient/viewer
Evidence
The server banner provides version information.
The server banner provides version information
Remediation Disable the server from providing version information in server banners or error
messages.

References • https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration

Methodology
Crosslake uses automated and manual analysis to assess the environment under this report's scope. In
addition to the tests and supporting evidence presented in prior sections, we leverage published OWASP
testing protocols, such as those listed below:
● Information gathering ● Session management testing

● Configuration and deployment ● Input validation testing
● Management testing ● Error handling
● Identity management testing ● Cryptography
● Authentication testing ● Business logic testing
● Authorization testing ● Client-side testing
Tools and technology
Crosslake uses a variety of testing tools and technologies to perform automated analysis of client
environments. Below is a list of the major tools used for testing:
● Burp Proxy Pro ● sqlmap (http://sqlmap.org/)

(https://portswigger.net/burp) ● curl (https://curl.haxx.se/)
● Nikto (https://cirt.net/Nikto2) ● openssl s_client
● Nmap (https://nmap.org/) (https://www.openssl.org/docs/manmaster/
● Testssl.sh (https://testssl.sh/) man1/s_client.html)
Goals and objectives
The goals and objectives of the assessment are as follows:

● Identify “alive” hosts on the network using scanning automation
● Identify open ports on hosts serving content to the Internet
● Discover applicable servers via banners
● Perform research on servers, host operating systems, and other applicable attack vectors to perform
additional analysis
● Identify vulnerabilities in system services or operating systems in a manual and automated fashion
while operating in “passive” mode
● Validate vulnerabilities to provide evidence and remove false positives
● Inventory and prioritize vulnerabilities based on real-world security risk
● Identify remediation steps for vulnerabilities
● Report on all of the above steps

Project Carnation - Application Penetration Test Report

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Project Carnation - Application Penetration Test Report

Uploaded by

Copyright:

Available Formats

Application Penetration Test Report

for Carnation – Web App

October 24, 2023

Application rating methodology 7

Detailed findings table 10

Goals and objectives 36

Proprietary and confidential information. © 2023 Crosslake Technologies. 2

Proprietary and confidential information. © 2023 Crosslake Technologies. 3

Assumptions and Constraints

Proprietary and confidential information. © 2023 Crosslake Technologies. 4

Objectives and scope

Account Permissions granted

clq890+mcarmley@gmail.com Quality Manager

1. Injection 8. Missing function-level access control

Proprietary and confidential information. © 2023 Crosslake Technologies. 5

Findings rating methodology

Proprietary and confidential information. © 2023 Crosslake Technologies. 6

Application rating methodology

Current application risk: C

Low-risk applications present a limited attack surface and contain no significantly

Proprietary and confidential information. © 2023 Crosslake Technologies. 7

Severity Identified Remediated Remaining

The following team members were involved in this assessment:

Team Member Role Contact Information

Yash Sancheti Associate yashs@crosslaketech.com

Kerlyn Manyi Associate kerlynma@crosslaketech.com

Proprietary and confidential information. © 2023 Crosslake Technologies. 8

Detailed Analysis and Breakdown

Proprietary and confidential information. © 2023 Crosslake Technologies. 9

Detailed findings table

7 Missing X-XSS-Protection Header

8 Application Does Not Define a Content Security Policy

9 Outdated JavaScript Resources

10 No HTTP Strict Transport Security Header

12 Access Token captured in URL

Host IP Address Ports Session Cookie

app.qa.qa.cancerlinq.io/ 99.86.229.50 80/tcp, 443/tcp JSESSIONID

Proprietary and confidential information. © 2023 Crosslake Technologies. 10

Proprietary and confidential information. © 2023 Crosslake Technologies. 11

Issue #1: Broken Access Controls

Attributes Overall Risk: High

Affected POST /api/quality/updateBatchFiles?batch=1: The id parameter is vulnerable.

POST /api/quality/updateBatchFileStatus?batch=1: The batchIds parameter is

POST /api/quality/createJob,createJob?batch=1: The files array is vulnerable.

POST /api/quality/saveOrgUnit?batch=1: The name and org_sender_name

POST /api/quality/saveOrgUnit?batch=1: The updated_by parameter is vulnerable.

POST /api/quality/downloadRulesPackage?batch=1: The name parameter is

Proprietary and confidential information. © 2023 Crosslake Technologies. 12

POST /api/quality/updateBatchFiles?batch=1: The id parameter is vulnerable.

POST /api/quality/createQcpSubmission?batch=1: The ou_id parameter is

Proprietary and confidential information. © 2023 Crosslake Technologies. 13

POST /api/quality/updateBatchFileStatus?batch=1: The batchIds parameter is

POST /api/quality/createJob,createJob?batch=1: The files array is vulnerable.

Proprietary and confidential information. © 2023 Crosslake Technologies. 14

POST /api/quality/saveOrgUnit?batch=1: The updated_by and org_sender_name

POST /api/quality/downloadRulesPackage?batch=1: The name parameter is

Proprietary and confidential information. © 2023 Crosslake Technologies. 15

Proprietary and confidential information. © 2023 Crosslake Technologies. 16

Issue #2: Uploaded Files Are Not Virus Scanned

Attributes Overall Risk: Medium

Proprietary and confidential information. © 2023 Crosslake Technologies. 17

The EICAR test file is uploaded to the server.

Proprietary and confidential information. © 2023 Crosslake Technologies. 18