App Github

Halborn July 2022 - WebApp Pentest

Summary:

(HAL-01) MISSING SUBRESOURCE INTEGRITY MECHANISM IN RELATION TO THE THIRD PARTY SCRIPTS USED

  • Recommendation: It is recommended implementing Subresource Integrity (SRI) mechanism on all scripts hosted on servers not under Tokemak control. Also note that SRI applies to both and tags.

  • Risk Level: Low

  • Status: SOLVED - 08/19/2022

  • Additional Notes: The issue was solved by removing links to third-party scripts and hosting all code on the Tokemak side on part of the domains listed above, except for docs.tokemak.xyz, for which a self-hosted Gitbook will be prepared in the near future.

(HAL-02) NON-PRODUCTION ENVIRONMENTS ACCESSIBLE FROM THE INTERNET

  • Recommendation: The target solution should be to isolate all development and administration environments from the public network. The easiest way to do this is at the AWS or related configuration level, so that only whitelisted addresses can authenticate against non-production resources, and the organization can be sure that 0day vulnerabilities will not affect those resources from the Internet.

  • Risk Level: Low

  • Status: RISK ACCEPTED

  • Additional Notes: No change at this time but will evaluate changes in the future. All production and non-production services are isolated to their own hosting accounts to prevent any cross contamination in the meantime.

(HAL-03) SERVER-SIDE REQUEST FORGERY VIA CLOUDFLARE SERVICE

  • Recommendation: It should be verified that each user (public access) should be able to use the service as described above. If not, access to the functionality should be blocked.

  • Risk Level: Low

  • Status: RISK ACCEPTED

  • Additional Notes: This is meant to be public at this time.

(HAL-04) PASSWORDS SHARED BETWEEN ENVIRONMENTS

  • Recommendation: Each environment should have different credentials to access it. We suggest increasing the password complexity - especially in relation to environments available from the Internet.

  • Risk Level: Low

  • Status: SOLVED - 08/12/2022

  • Additional Notes: The issue was solved by setting different password for each environment.

(HAL-05) USING PACKAGES WITH KNOWN VULNERABILITIES

  • Recommendation: It is strongly recommended to perform an automated analysis of the dependencies from the birth of the project and if they contain any security issues. Developers should be aware of this and apply any necessary mitigation measures to protect the affected application.

  • Risk Level: Low

  • Status: SOLVED - 08/12/2022

  • Additional Notes: The issue has been resolved.

PDF Embed:

PreviousHalborn November 2022 - accTOKENextHalborn June 2022 - Voting Delegation Staking

Last updated