Halborn July 2022 - WebApp Pentest
Tokemak_WebApp_Pentest_Report_Halborn_Final-2.pdf
1MB
PDF
Individual auditors personal emails have been redacted in the above pdf (pdf also embedded below summary)
Summary:
- Recommendation: It is recommended implementing Subresource Integrity (SRI) mechanism on all scripts hosted on servers not under Tokemak control. Also note that SRI applies to both and tags.
- Risk Level: Low
- Status: SOLVED - 08/19/2022
- Additional Notes: The issue was solved by removing links to third-party scripts and hosting all code on the Tokemak side on part of the domains listed above, except for docs.tokemak.xyz, for which a self-hosted Gitbook will be prepared in the near future.
- Recommendation: The target solution should be to isolate all development and administration environments from the public network. The easiest way to do this is at the AWS or related configuration level, so that only whitelisted addresses can authenticate against non-production resources, and the organization can be sure that 0day vulnerabilities will not affect those resources from the Internet.
- Risk Level: Low
- Status: RISK ACCEPTED
- Additional Notes: No change at this time but will evaluate changes in the future. All production and non-production services are isolated to their own hosting accounts to prevent any cross contamination in the meantime.
- Recommendation: It should be verified that each user (public access) should be able to use the service as described above. If not, access to the functionality should be blocked.
- Risk Level: Low
- Status: RISK ACCEPTED
- Additional Notes: This is meant to be public at this time.
- Recommendation: It is strongly recommended to perform an automated analysis of the dependencies from the birth of the project and if they contain any security issues. Developers should be aware of this and apply any necessary mitigation measures to protect the affected application.
- Risk Level: Low
- Status: SOLVED - 08/12/2022
- Additional Notes: The issue has been resolved.
PDF Embed: