Summary
Mantua, the VAPT vendor, started to perform Black Box VAPT with SaFi mobile app and Back Office on . Mantua found a total of 26 vulnerabilities for this engagement.
2 - P2 vulnerability
5 - P3 vulnerability
19 - P4 vulnerability
According to the vendor, the current security risk posture is MEDIUM
Initial phase completed and remediation planning is ongoing.
Password: SuJ2pIko?u?+i@re8&O5
Password: S4ltracR=yumobugicro
Final VAPT report completed last .
Password: Ramlsowr8geB54VO7i$a
Password: ZO=RujU_lqijEX78r8po
Password: XbveLXIr0V
Password: rxNoQOtY6tyEiDNb
Timeline
Mantua started VAPT engagement.
5% completed for mobile and web.
As usual. Errors and inquiries were found. Mantua provided a list attached
Permissions based on Access Matrix in Back Office is not working as it should.
Possible vulnerability: Broken Access Control
Waiting for official vulnerability report. (might be given tomorrow, )
10% completed for web VAPT
8% completed for mobile VAPT
Found 3 vulnerabilities to Back Office
SM-6654
SM-6655
SM-6656
Found 1 vulnerability to Mobile App
SM-6658
All findings were not yet final.
17% completed for web VAPT
11% completed for mobile VAPT
Found 2 vulnerabilities to Back Office
SM-6697
SM-6698
No new findings to Mobile App
All findings were not yet final
20% completed for web VAPT
11% completed for mobile VAPT
Found 1 new vulnerability to Back Office
SM-6786
No new findings to Mobile App
All findings were not yet final
,
Holiday in PH. No progress update
30% completed for web VAPT
18% completed for mobile VAPT
No new findings to web and mobile
Found no activity issue related to ‘Pay bills' feature and is out of scope this EPFS
40% completed for web VAPT
18% completed for mobile VAPT
Found 1 new vulnerability to Back Office
SM-7017
50% completed for web VAPT
18% completed for mobile VAPT
No new findings to web and mobile.
Found issue related to upload image for profile photo
60% completed for web VAPT
18% completed for mobile VAPT
Found 3 new vulnerabilities to Mobile App
SM-7065
SM-7066
SM-7068
70% completed for web VAPT
75% completed for mobile VAPT
90% completed for web VAPT
80% completed for mobile VAPT
Found 5 new vulnerabilities to Back Office and Mobile App
SM-7193
SM-7194
SM-7195
SM-7196
SM-7197
100% completed for web and mobile VAPT
Found 10 new vulnerabilities
SM-7451
SM-7449
SM-7448
SM-7447
SM-7446
SM-7444
SM-7450
SM-7440
SM-7441
SM-7442
Reported a total of 26 vulnerabilities
Web and mobile VAPT re-testing (revalidation) completed.
Vulnerabilities
Jira Ticket | Risk Rating | CVSS Score | Severity | Action | ETA |
---|---|---|---|---|---|
SM-6654 - SaFi-2022-1 BOFE Access Control Matrix Misconfiguration Done | High | 7.6 HIGH | P2 - HIGH | Fix | Resolved |
SM-6655 - SaFi-2022-2 BOFE Insecure Direct Object References Done | Medium | 6.7 MEDIUM | P3 - MEDIUM | Fix | Resolved |
SM-6656 - SaFi-2022-3 BOFE HTTP Headers Best Practices Done | Low | 2.9 LOW | P4 - MINOR | Plan | Resolved |
SM-6658 - SaFi-2022-4 SaFi Mobile Application Crashes When Enabling Biometric ID Log In Done | Medium | 5.7 MEDIUM | P3 - MEDIUM | Fix | Resolved |
SM-6697 - SaFi-2022-5 BOFE Unauthorized Viewing of Documents Done | Medium | 6.7 MEDIUM | P3 - MEDIUM | Fix | Resolved |
SM-6698 - SaFi-2022-6 BOFE Possible to upload malicious files Done | Medium | 3.5 LOW | P4 - MINOR | Fix | Resolved |
SM-6786 - SaFi-2022-7 BOFE Lack of Server-side Input Validation Done | Medium | 6.7 MEDIUM | P3 - MEDIUM | Fix | Resolved |
SM-7017 - SaFi-2022-8 BOFE Unexpected File Type Upload Done | High | 6.7 MEDIUM | P2 - HIGH | Fix | Resolved |
SAF-130 - SaFi-2022-9 SaFi Mobile Application Information Disclosure via Stack Trace Backlog | Low | 2.2 LOW | P4 - MINOR | Plan | TBD Remediation plan |
SAF-142 - SaFi-2022-10 SaFi Mobile Application HTTP Headers And Cookies Best Practices Done | Low | 1.9 LOW | P4 - MINOR | Plan | TBD Remediation plan |
SM-7068 - SaFi-2022-11 SaFi Mobile Application Lack Of Server Side Input Validation Done | Medium | 5.3 MEDIUM | P3 - MEDIUM | Fix | Resolved |
SM-7193 - SaFi-2022-12 BOFE Cross Origin Resource Sharing Misconfiguration Done | Low | 2.7 LOW | P4 - MINOR | Plan | Resolved |
SAF-890 - FE: SaFi-2022-13 BOFE Server Information Disclosure Blocker | Low | 2.7 LOW | P4 - MINOR | Plan | TBD Remediation plan |
SM-7195 - SaFi-2022-14 SaFi Mobile Weak SSL / TLS Cipher Suites Supported Done | Low | 2.8 LOW | P4 - MINOR | Fix | Resolved |
SM-7196 - SaFi-2022-15 SaFi Mobile Backgrounded Application Displays Sensitive Information Done | Low | 1.7 LOW | P4 - MINOR | Fix | Resolved |
SM-7197 - SaFi-2022-16 SaFi Mobile Sensitive Information Stored in Memory To Do | Low | 1.5 LOW | P4 - MINOR | Plan | TBD Remediation plan |
SM-7442 - SaFi-2022-17 SaFi Mobile Testing Unnecessary Permission Done | Low | 1.6 LOW | P4 - MINOR | Fix | Resolved |
SM-7441 - SaFi-2022-18 SaFi Mobile Janus Vulnerability Done | Low | 1.6 LOW | P4 - MINOR | Fix | Resolved |
SM-7440 - SaFi-2022-19 SaFi Mobile Sensitive Information Stored in Logs Resolved | Low | 3.3 LOW | P4 - MINOR | Plan | Resolved |
SM-7450 - SaFi-2022-20 SaFi Mobile Overlay Attacks To Do | Low | 3.3 LOW | P4 - MINOR | Plan | TBD Remediation plan |
SM-7444 - SaFi-2022-21 SaFi Mobile Lack of Logout Functionality Done | Low | 3.6 LOW | P4 - MINOR | Fix | Dec-15-2022
|
SM-7446 - SaFi-2022-22 SaFi Mobile Sensitive Information Stored in Local Storage In Review | Low | 3.3. LOW | P4 - MINOR | Plan | TBD Remediation plan |
SM-7447 - SaFi-2022-23 SaFi Mobile Lack of Root / Jailbreak Detection Done | Low | 3.3 LOW | P4 - MINOR | Fix | Resolved |
SM-7448 - SaFi-2022-24 SaFi Mobile Lack of SSL Certificate Pinning Done | Low | 3.3 LOW | P4 - MINOR | Fix | Resolved |
SM-7449 - SaFi-2022-25 SaFi Mobile Lack / Partial Obfuscation of Binary File Done | Low | 3.3 LOW | P4 - MINOR | Plan | Resolved |
SM-7451 - SaFi-2022-26 SaFi Mobile Information Stored in Local Storage Resolved | Low | 1.4 LOW | P4 - MINOR | Plan | TBD Remediation plan |
Target Environment and Application Build Versions
Type: Black Box Security Testing
Environment: Staging
Initial Test Versions
SaFi Mobile App: 1.0.676 (677)
BOFE: 3034fce
Final Test Versions
SaFi Mobile App: 1.0.690+691 (691)
Known issues
Approvals
VAPT Report | Prepared by | Reviewed by | Approved by |
---|---|---|---|
Signature |
| ||
Name | |||
Role | Application Security Engineer | Project Management Officer | Chief Technology Officer |
Date |
|
Attachments:
BOFE Access Matrix.xlsx (application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
image-20221107-083629.png (image/png)
image-20221116-031259.png (image/png)
Advance Intelligence Group_SaFI Back Office_VAPT Report_202210_1.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Report 11112022.pdf (application/pdf)
Advance Intelligence Group_SaFI Back Office_VAPT Report_202210_1.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Report 11112022.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Report 11112022.pdf (application/pdf)
Advance Intelligence Group_SaFI Back Office_VAPT Revalidation Report_202301_2.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Revalidation Report 11112022_2.pdf (application/pdf)
EPFS VAPT Report Jan.16.2023.pdf (application/pdf)
EPFS VAPT Report Jan.23.2023.pdf (application/pdf)