Professional Documents
Culture Documents
Qoin Korlantas Penetration Test Report - 20102022.docx - Final
Qoin Korlantas Penetration Test Report - 20102022.docx - Final
Confidentiality Warning
Contents
Document Control 3
1 Overview 4
1.1. Scope (Assets, Environment & Method) 4
1.2. Controls 5
1.3. Timeline 5
1.4. Method 5
1.5. Report Format 5
2 Executive Summary 6
2.1. Phase 1 – Penetration test 6
2.2. Phase 2 – Penetration test 6
2.3. Findings Profile 7
3 Web Application Findings 8
Finding 1: Web: Email Address Enumeration in Alert Login Web Admin Login 8
Finding 2: Web: Weak Password Policy Leading to Exposure of Administrator Account Access 10
Finding 3: Use of Vulnerable Components (JQuery) 12
4 Android Findings 14
Finding 4: Cleartext Storage of Sensitive Information Leaked RSA Private and Public Keys 14
5 IOS Findings 16
Finding 5: Insecure Data Storage Leads to Leaked Sensitive Data Information - File Storage
Unencrypted 16
6 API Findings 18
Finding 6: No Rate Limit on Web Admin Login 18
Finding 7: No Rate Limit on Forgot Pin 19
Finding 8: No Rate Limit Login on officer login 21
Appendix A 23
Testing Tools 23
Penetration Test Method 23
2022 Qoin Digital Korlantas Penetration Test
Document Control
1 Overview
PT Qoin Digital Indonesia, herein referred to as “Qoin”, to carry out Digital Korlantas Web and Mobile
Penetration Test to measure the strength of security of its web and mobile application, expose any
weak spots, and recommend an effective plan of action for remediation
URL – https://web-admin.digitalkorlantas.id/login
Environment - Production
Environment - Production
Environment - Production
Phase 2:
URL – https://web-admin.digitalkorlantas.id/login
Environment - Production
Environment - Production
Environment - Production
1.2. Controls
The in-scope assets were measured against the following controls:
1.3. Timeline
Phase 1 - Pen-test: From 10 October 2022 to 14 October 2022.
1.4. Method
Our standardized method advances the objective of the assessment: to evaluate the security
posture of the assets in scope, to detect every deviation from industry-adopted controls, and
to provide expert and fortifying remediation strategies.
(1) Executive Summary (2) Findings (General, API, Web, App, Infra,
..)
2 Executive Summary
We strongly advise that these should be reviewed and mitigated because these represent
risks to the business.
➔ The findings with their corresponding status are listed in the Findings Summary table, found
in Findings Profile section of this report.
We strongly advise that these should be reviewed and mitigated because these represent
risks to the business.
➔ The findings with their corresponding status are listed in the Findings Summary table, found
in Findings Profile section of this report.
2022 Qoin Digital Korlantas Penetration Test
Finding 1: Web: Email Address Enumeration in Alert Login Web Admin Login
Description
During the external black-box penetration test in Production environment of Digital Korlantas Web
Admin. Qoin Security Team discovered Email Address Enumeration in Alert Login Web Admin.
Affected URL:
● https://web-admin.digitalkorlantas.id/login
We tried to login as user info@loyalto.com and discovered that the user does not exist based on the
response we got.
2022 Qoin Digital Korlantas Penetration Test
Then, we tried to login again using email info@digitalkorlantas.id. Based on the results of the
response we got, we found that the system detected a password that did not match the email.
Impact
The attacker can perform a brute force attack to find out whether the email address is registered in
the database or not.
Recommendations
● Give the same response and alert if something is wrong in the email and password fields
2022 Qoin Digital Korlantas Penetration Test
Description
Korlantas Digital has a web admin that can be accessed via the url, we can access the login at
https://web-admin.digitalkorlantas.id/login. The application is using default “Administrator for the
default organization” credentials. below is screenshot proof that we have successfully logged in with
email hafida@loyalto.id password 123123
2022 Qoin Digital Korlantas Penetration Test
Impact
● A Digital Korlantas admin website was misconfigured in a manner that may have allowed a
malicious user to login with administrator for the default organization account credentials.
● Admin account compromise
Recommendations
Description
Approximately 80% of the code in today’s applications comes from libraries and frameworks and the
Impact
Known certain vulnerabilities of web server can be exploited by malicious attacker to gain access to
internal network, gain more information, or launch more serious attacks. This may cause disruption
to Digital Korlantas Web Admin.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into
otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application
to send malicious code, generally in the form of a browser side script, to a different end user. Flaws
that allow these attacks to succeed are quite widespread and occur anywhere a web application uses
input from a user within the output it generates without validating or encoding it.
Recommendations
Digital Korlantas is advised to consider and act on the following recommendations to fix this
vulnerability
● It is strongly recommended to implement Patch Management solution to improve patch
management and simplify process of patch maintenance across Permata’s information
system.
● It is important to ensure that all critical systems have test-bed installation where impact of
security patches can be safely tested before patches are applied to production environment.
● It is recommended to update the Software Development life-cycle (SDLC) process, to require
prompt implementation of security updates on production systems.
2022 Qoin Digital Korlantas Penetration Test
4 Android Findings
Finding 4: Cleartext Storage of Sensitive Information Leaked RSA Private and
Public Keys
Description
The application stores sensitive information in cleartext within a resource that might be accessible to
another control sphere. Because the information is stored in cleartext, attackers could potentially
read it. Even if the information is encoded in a way that is not human-readable, certain techniques
could determine which encoding is being used, then decode the information.
2022 Qoin Digital Korlantas Penetration Test
Impact
Lack of encryption of sensitive data information on iOS could result in leakage of information if
device is stolen or accessed by unauthorized user or via malware infected device.
Recommendations
Digital Korlantas is advised to consider and act on the following recommendations to fix this
vulnerability:
5 IOS Findings
Description
During external black-box penetration tester of Digital Korlantas iOS Application, I discovered
insecure data storage at
/var/mobile/Containers/Data/Application/730A3C0E-524E-4413-8B28-0EB5240684FF/Library/Pref
erences/id.qoin.korlantas.user.plist.
The file contains sensitive user data information such as Email, NIK, KK Number, Phone Number,
Fullname and Token.
2022 Qoin Digital Korlantas Penetration Test
Impact
Lack of encryption of sensitive data information on iOS could result in leakage of information if
device is stolen or accessed by unauthorized user or via malware infected device.
Recommendations
Digital Korlantas is advised to consider and act on the following recommendations to fix this
vulnerability:
6 API Findings
Description
The software does not properly limit the number or frequency of interactions that it has with an
actor, such as the number of incoming requests in https://web-admin.digitalkorlantas.id/login
2022 Qoin Digital Korlantas Penetration Test
Impact
This vulnerability causes enumeration of users, emails, passwords and attackers can carry out
flooding and brute force attacks.
Recommendations
To mitigate this issue developers should implement a timeout after a number of requests in a period
of time or implement CAPTCHA mechanism on the form pages.
Description
The software does not precisely limit the number or frequency of interactions it has with actors, such
as the number of requests sent at https://dev-digid-korlantas.loyalto.id/officer-manager-forgot-pin
2022 Qoin Digital Korlantas Penetration Test
Impact
This vulnerability causes enumeration of passwords and attackers can carry out flooding and brute
force attacks.
Recommendations
To mitigate this issue developers should implement a timeout after a number of requests in a period
of time or implement CAPTCHA mechanism on the form pages.
Description
The software does not precisely limit the number or frequency of interactions it has with actors, such
as the number of requests sent at https://dev-digid-korlantas.loyalto.id/officer-manager-login
Impact
This vulnerability causes enumeration of passwords and attackers can carry out flooding and brute
force attacks.
2022 Qoin Digital Korlantas Penetration Test
Recommendations
To mitigate this issue developers should implement a timeout after a number of requests in a period
of time or implement CAPTCHA mechanism on the form pages.
2022 Qoin Digital Korlantas Penetration Test
Appendix A
Testing Tools
The following are the commonly used tools during a penetration test engagement. Do note that this
is not an exhaustive list.
● Burpsuite Pro
● SQLMap
● IDA Pro
● Nmap
The method of penetration testing used at Qoin Security Team has been developed around these
industry standards:
The method combines both black-box (zero knowledge of the target system) and white-box
approaches (partial knowledge of the target system).
Our method ensures a rapid implementation of the recommended changes and provides immediate
security improvement.