2022 Qoin Digital Korlantas Penetration Test

Confidentiality Warning

Copyright 2022 PT Qoin Digital Indonesia. All rights reserved.

 2022 Qoin Digital Korlantas Penetration Test

Contents
Document Control 3
1 Overview 4
1.1. Scope (Assets, Environment & Method) 4
1.2. Controls 5
1.3. Timeline 5
1.4. Method 5
1.5. Report Format 5
2 Executive Summary 6
2.1. Phase 1 – Penetration test 6
2.2. Phase 2 – Penetration test 6
2.3. Findings Profile 7
3 Web Application Findings 8
Finding 1: Web: Email Address Enumeration in Alert Login Web Admin Login 8
Finding 2: Web: Weak Password Policy Leading to Exposure of Administrator Account Access 10
Finding 3: Use of Vulnerable Components (JQuery) 12
4 Android Findings 14
Finding 4: Cleartext Storage of Sensitive Information Leaked RSA Private and Public Keys 14
5 IOS Findings 16
Finding 5: Insecure Data Storage Leads to Leaked Sensitive Data Information - File Storage
Unencrypted 16
6 API Findings 18
Finding 6: No Rate Limit on Web Admin Login 18
Finding 7: No Rate Limit on Forgot Pin 19
Finding 8: No Rate Limit Login on officer login 21
Appendix A 23
Testing Tools 23
Penetration Test Method 23
 2022 Qoin Digital Korlantas Penetration Test

Document Control

Release Version Date Changes Prepared by

0.1 17 October 2022 Final Report Qoin Security Team
0.2 18 October 2022 Updated with more Qoin Security Team
findings
0.3 19 October 2022 Updated with more Qoin Security Team
findings
 2022 Qoin Digital Korlantas Penetration Test

1 Overview

PT Qoin Digital Indonesia, herein referred to as “Qoin”, to carry out Digital Korlantas Web and Mobile
Penetration Test to measure the strength of security of its web and mobile application, expose any
weak spots, and recommend an effective plan of action for remediation

1.1. Scope (Assets, Environment & Method)

Phase 1:

Digital Korlantas Web Admin & API Penetration Test

URL – https://web-admin.digitalkorlantas.id/login

Environment - Production

Method – external black-box methods

Digital Korlantas iOS Penetration Test

Environment - Production

Method – external black-box methods

Digital Korlantas Android Penetration Test

Environment - Production

Method – external black-box methods

Phase 2:

Digital Korlantas Web Admin & API Penetration Test

URL – https://web-admin.digitalkorlantas.id/login

Environment - Production

Method – external black-box methods

Digital Korlantas iOS Penetration Test

Environment - Production

Method – external black-box methods

Digital Korlantas Android Penetration Test

Environment - Production

Method – external black-box methods

 2022 Qoin Digital Korlantas Penetration Test

1.2. Controls
The in-scope assets were measured against the following controls:

• Open Web Application Security Project (OWASP).

• Penetration Testing Execution Standard (PTES).

• Open Source Security Testing Methodology Manual (OSSTMM).

• Information Systems Security Assessment Framework (ISSAF).

• Mobile Application Security Verification Standard (MASVS).

• Mobile Application Security Testing Guide (MASTG).

1.3. Timeline
Phase 1 - Pen-test: From 10 October 2022 to 14 October 2022.

Phase 2 – Pentest: From 17 October 2022 to 19 October 2022.

1.4. Method
Our standardized method advances the objective of the assessment: to evaluate the security
posture of the assets in scope, to detect every deviation from industry-adopted controls, and
to provide expert and fortifying remediation strategies.

For more information on our methodology, see Appendix A

1.5. Report Format

This report contains the findings and recommendations arising from Phase 1 activities. It will
be updated once Phase 2 is completed.

This report is organised into two (2)main sections:

(1) Executive Summary (2) Findings (General, API, Web, App, Infra,
..)

Critical Security Weakness are highlighted Each Security finding is explained.

and their serious risks and impact to
business are identified. There are provided in detail:
• Description
• Potential threats and risks
• Risk score
• Recommended remediation
High level and actionable strategies to
enhance the organization’s security
posture are laid out.
 2022 Qoin Digital Korlantas Penetration Test

2 Executive Summary

2.1. Phase 1 – Penetration test

The Digital Korlantas Web and Mobile Penetration Test project conducted by Qoin Security
Team from 10 October 2022 to 14 October 2022 yielded detection of security vulnerabilities.

➔ There is a total of seven (4) security vulnerabilities detected

➔ The other findings are ranked medium-risk where the impact of an attack is neither critical
non-major combined with a likelihood of attack that is possible/unlikely/rare.

We strongly advise that these should be reviewed and mitigated because these represent
risks to the business.

➔ The findings with their corresponding status are listed in the Findings Summary table, found
in Findings Profile section of this report.

2.2. Phase 2 – Penetration test

The Digital Korlantas Web and Mobile Penetration Test project conducted by Qoin Security
Team from 17 October 2022 to 19 October 2022 yielded detection of security vulnerabilities.

➔ There is a total of seven (4) security vulnerabilities detected

➔ The high-risk findings are a result of
◆ iOS: Insecure Data Storage Leads to Leaked Sensitive Data Information
◆ WEB: Weak Password Policy Leading to Exposure of Administrator Account Access
➔ The other findings are ranked medium-risk where the impact of an attack is neither critical
non-major combined with a likelihood of attack that is possible/unlikely/rare.

We strongly advise that these should be reviewed and mitigated because these represent
risks to the business.

➔ The findings with their corresponding status are listed in the Findings Summary table, found
in Findings Profile section of this report.
 2022 Qoin Digital Korlantas Penetration Test

2.3. Findings Profile

The charts below show a visual overview of the results.

All security findings, including high-risk findings, are listed below.

No Finding Tittle Risk Status

1 Web: Weak Password Policy Leading to Critical Unresolved
Exposure of Administrator Account
Access
2 iOS: Insecure Data Storage Leads to High Unresolved
Leaked Sensitive Data Information
3 API: No Rate Limit on Web Admin Login Medium Unresolved
4 API: No Rate Limit on Forgot Pin Medium Unresolved
5 API: No Rate Limit Login on officer login Medium Unresolved
6 Web : Email Address Enumeration in Medium Unresolved
Alert Login Web Admin /login
7 Web: Use of Vulnerable Components Medium Unresolved
(JQuery)
8 Android: Cleartext Storage of Sensitive Medium Unresolved
Information Leaked RSA Private and
Public Keys
 2022 Qoin Digital Korlantas Penetration Test

3 Web Application Findings

Finding 1: Web: Email Address Enumeration in Alert Login Web Admin Login

Risk: Medium Status: Open as of 11 October 2022

Description

During the external black-box penetration test in Production environment of Digital Korlantas Web
Admin. Qoin Security Team discovered Email Address Enumeration in Alert Login Web Admin.

Affected URL:

● https://web-admin.digitalkorlantas.id/login

We tried to login as user info@loyalto.com and discovered that the user does not exist based on the
response we got.
 2022 Qoin Digital Korlantas Penetration Test

Then, we tried to login again using email info@digitalkorlantas.id. Based on the results of the
response we got, we found that the system detected a password that did not match the email.

Impact

The attacker can perform a brute force attack to find out whether the email address is registered in
the database or not.

Recommendations

● Give the same response and alert if something is wrong in the email and password fields
 2022 Qoin Digital Korlantas Penetration Test

Finding 2: Web: Weak Password Policy Leading to Exposure of Administrator

Account Access

Risk: Critical Status: Open as of 18 October 2022

Description

Korlantas Digital has a web admin that can be accessed via the url, we can access the login at
https://web-admin.digitalkorlantas.id/login. The application is using default “Administrator for the
default organization” credentials. below is screenshot proof that we have successfully logged in with
email hafida@loyalto.id password 123123
 2022 Qoin Digital Korlantas Penetration Test

Impact

● A Digital Korlantas admin website was misconfigured in a manner that may have allowed a
malicious user to login with administrator for the default organization account credentials.
● Admin account compromise

Recommendations

● Change the password of the user or disable the account

● Enforce a strong password policy. Don't permit weak passwords or passwords based on
dictionary words.
● Apply uppercase and lowercase requirements, use numbers and unique codes
 2022 Qoin Digital Korlantas Penetration Test

Finding 3: Use of Vulnerable Components (JQuery)

Risk: Medium Status: Open as of 19 October 2022

Description

Approximately 80% of the code in today’s applications comes from libraries and frameworks and the

risk of vulnerabilities in these components is widely ignored and underappreciated.

External black-box penetration test in a production environment of Digital Korlantas Web Admin
(https://web-admin.digitalkorlantas.id) revealed use of vulnerable JQuery library.
We discovered that the application used JQuery 3.4.0

JQuery v3.4.0 is known to be vulnerable to:

● CVE-2020-11022: Regex in its JQuery.htmlPrefilter sometimes may introduce XSS
● CVE-2020-11023: Regex in its JQuery.htmlPrefilter sometimes may introduce XSS
 2022 Qoin Digital Korlantas Penetration Test

Impact

Known certain vulnerabilities of web server can be exploited by malicious attacker to gain access to
internal network, gain more information, or launch more serious attacks. This may cause disruption
to Digital Korlantas Web Admin.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into
otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application
to send malicious code, generally in the form of a browser side script, to a different end user. Flaws
that allow these attacks to succeed are quite widespread and occur anywhere a web application uses
input from a user within the output it generates without validating or encoding it.

Recommendations

Digital Korlantas is advised to consider and act on the following recommendations to fix this
vulnerability
● It is strongly recommended to implement Patch Management solution to improve patch
management and simplify process of patch maintenance across Permata’s information
system.
● It is important to ensure that all critical systems have test-bed installation where impact of
security patches can be safely tested before patches are applied to production environment.
● It is recommended to update the Software Development life-cycle (SDLC) process, to require
prompt implementation of security updates on production systems.
 2022 Qoin Digital Korlantas Penetration Test

4 Android Findings
Finding 4: Cleartext Storage of Sensitive Information Leaked RSA Private and
Public Keys

Risk: Medium Status: Open as of 11 October 2022

Description

The application stores sensitive information in cleartext within a resource that might be accessible to
another control sphere. Because the information is stored in cleartext, attackers could potentially
read it. Even if the information is encoded in a way that is not human-readable, certain techniques
could determine which encoding is being used, then decode the information.
 2022 Qoin Digital Korlantas Penetration Test

Impact

Lack of encryption of sensitive data information on iOS could result in leakage of information if
device is stolen or accessed by unauthorized user or via malware infected device.

Recommendations

Digital Korlantas is advised to consider and act on the following recommendations to fix this
vulnerability:

● Do not store sensitive data information on device

● Implement encryption of sensitive data stored on device
 2022 Qoin Digital Korlantas Penetration Test

5 IOS Findings

Finding 5: Insecure Data Storage Leads to Leaked Sensitive Data Information

- File Storage Unencrypted

Risk: Medium Status: Open as of 17 October 2022

Description

During external black-box penetration tester of Digital Korlantas iOS Application, I discovered
insecure data storage at
/var/mobile/Containers/Data/Application/730A3C0E-524E-4413-8B28-0EB5240684FF/Library/Pref
erences/id.qoin.korlantas.user.plist.

The file contains sensitive user data information such as Email, NIK, KK Number, Phone Number,
Fullname and Token.
 2022 Qoin Digital Korlantas Penetration Test

Impact

Lack of encryption of sensitive data information on iOS could result in leakage of information if
device is stolen or accessed by unauthorized user or via malware infected device.

Recommendations

Digital Korlantas is advised to consider and act on the following recommendations to fix this
vulnerability:

● Do not store sensitive data information on device

● Implement encryption of sensitive data stored on device
 2022 Qoin Digital Korlantas Penetration Test

6 API Findings

Finding 6: No Rate Limit on Web Admin Login

Risk: Medium Status: Open as of 13 October 2022

Description

The software does not properly limit the number or frequency of interactions that it has with an
actor, such as the number of incoming requests in https://web-admin.digitalkorlantas.id/login
 2022 Qoin Digital Korlantas Penetration Test

Impact

This vulnerability causes enumeration of users, emails, passwords and attackers can carry out
flooding and brute force attacks.

Recommendations

To mitigate this issue developers should implement a timeout after a number of requests in a period
of time or implement CAPTCHA mechanism on the form pages.

Finding 7: No Rate Limit on Forgot Pin

Risk: Medium Status: Open as of 13 October 2022

Description

The software does not precisely limit the number or frequency of interactions it has with actors, such
as the number of requests sent at https://dev-digid-korlantas.loyalto.id/officer-manager-forgot-pin
 2022 Qoin Digital Korlantas Penetration Test

Impact

This vulnerability causes enumeration of passwords and attackers can carry out flooding and brute
force attacks.

Recommendations

To mitigate this issue developers should implement a timeout after a number of requests in a period
of time or implement CAPTCHA mechanism on the form pages.

Finding 8: No Rate Limit Login on officer login

 2022 Qoin Digital Korlantas Penetration Test

Risk: Medium Status: Open as of 19 October 2022

Description

The software does not precisely limit the number or frequency of interactions it has with actors, such
as the number of requests sent at https://dev-digid-korlantas.loyalto.id/officer-manager-login

Impact

This vulnerability causes enumeration of passwords and attackers can carry out flooding and brute
force attacks.
 2022 Qoin Digital Korlantas Penetration Test

Recommendations

To mitigate this issue developers should implement a timeout after a number of requests in a period
of time or implement CAPTCHA mechanism on the form pages.
 2022 Qoin Digital Korlantas Penetration Test

Appendix A

Testing Tools

A combination of industry-standard security procedures and commercial, open-source and our

proprietary tools and techniques are used for the penetration test.

The following are the commonly used tools during a penetration test engagement. Do note that this
is not an exhaustive list.

● Burpsuite Pro
● SQLMap
● IDA Pro
● Nmap

Penetration Test Method

The method of penetration testing used at Qoin Security Team has been developed around these
industry standards:

● Open Source Security Testing Methodology Manual (OSSTMM)

● Information Systems Security Assessment Framework (ISSAF)
● OWASP Testing Guide Chapter 4
● Penetration Testing Execution Standard (PTES)

The method combines both black-box (zero knowledge of the target system) and white-box
approaches (partial knowledge of the target system).

Our method ensures a rapid implementation of the recommended changes and provides immediate
security improvement.