SaFi Bank Space : 2022 EPFS - VAPT Engagement Report with Mantua

Created by User b6b4a, last modified on Jan 23, 2023

Summary

Mantua, the VAPT vendor, started to perform Black Box VAPT with SaFi mobile app and Back Office on . Mantua found a total of 26 vulnerabilities for this engagement.

  • 2 - P2 vulnerability

  • 5 - P3 vulnerability

  • 19 - P4 vulnerability

According to the vendor, the current security risk posture is MEDIUM

Initial phase completed and remediation planning is ongoing.

Password: SuJ2pIko?u?+i@re8&O5

Password: S4ltracR=yumobugicro

Final VAPT report completed last .

Password: Ramlsowr8geB54VO7i$a

Password: ZO=RujU_lqijEX78r8po

Password: XbveLXIr0V

Password: rxNoQOtY6tyEiDNb

Timeline

  • Mantua started VAPT engagement.

  • 5% completed for mobile and web.

  • As usual. Errors and inquiries were found. Mantua provided a list attached

  • Permissions based on Access Matrix in Back Office is not working as it should.
    Possible vulnerability: Broken Access Control

  • Waiting for official vulnerability report. (might be given tomorrow, )

  • 10% completed for web VAPT

  • 8% completed for mobile VAPT

  • Found 3 vulnerabilities to Back Office

    • SM-6654

    • SM-6655

    • SM-6656

  • Found 1 vulnerability to Mobile App

    • SM-6658

  • All findings were not yet final.

  • 17% completed for web VAPT

  • 11% completed for mobile VAPT

  • Found 2 vulnerabilities to Back Office

    • SM-6697

    • SM-6698

  • No new findings to Mobile App

  • All findings were not yet final

  • 20% completed for web VAPT

  • 11% completed for mobile VAPT

  • Found 1 new vulnerability to Back Office

    • SM-6786

  • No new findings to Mobile App

  • All findings were not yet final

,

  • Holiday in PH. No progress update

  • 30% completed for web VAPT

  • 18% completed for mobile VAPT

  • No new findings to web and mobile

  • Found no activity issue related to ‘Pay bills' feature and is out of scope this EPFS

  • 40% completed for web VAPT

  • 18% completed for mobile VAPT

  • Found 1 new vulnerability to Back Office

    • SM-7017

  • 50% completed for web VAPT

  • 18% completed for mobile VAPT

  • No new findings to web and mobile.

  • Found issue related to upload image for profile photo

  • 60% completed for web VAPT

  • 18% completed for mobile VAPT

  • Found 3 new vulnerabilities to Mobile App

    • SM-7065

    • SM-7066

    • SM-7068

  • 70% completed for web VAPT

  • 75% completed for mobile VAPT

  • 90% completed for web VAPT

  • 80% completed for mobile VAPT

  • Found 5 new vulnerabilities to Back Office and Mobile App

    • SM-7193

    • SM-7194

    • SM-7195

    • SM-7196

    • SM-7197

  • 100% completed for web and mobile VAPT

  • Found 10 new vulnerabilities

    • SM-7451

    • SM-7449

    • SM-7448

    • SM-7447

    • SM-7446

    • SM-7444

    • SM-7450

    • SM-7440

    • SM-7441

    • SM-7442

  • Reported a total of 26 vulnerabilities

  • Web and mobile VAPT re-testing (revalidation) completed.

Vulnerabilities

Jira Ticket

Risk Rating

CVSS Score

Severity

Action

ETA

SM-6654 - SaFi-2022-1 BOFE Access Control Matrix Misconfiguration Done

High

7.6 HIGH

P2 - HIGH

Fix

Resolved

SM-6655 - SaFi-2022-2 BOFE Insecure Direct Object References Done

Medium

6.7 MEDIUM

P3 - MEDIUM

Fix

Resolved

SM-6656 - SaFi-2022-3 BOFE HTTP Headers Best Practices Done

Low

2.9 LOW

P4 - MINOR

Plan

Resolved

SM-6658 - SaFi-2022-4 SaFi Mobile Application Crashes When Enabling Biometric ID Log In Done

Medium

5.7 MEDIUM

P3 - MEDIUM

Fix

Resolved

SM-6697 - SaFi-2022-5 BOFE Unauthorized Viewing of Documents Done

Medium

6.7 MEDIUM

P3 - MEDIUM

Fix

Resolved

SM-6698 - SaFi-2022-6 BOFE Possible to upload malicious files Done

Medium

3.5 LOW

P4 - MINOR

Fix

Resolved

SM-6786 - SaFi-2022-7 BOFE Lack of Server-side Input Validation Done

Medium

6.7 MEDIUM

P3 - MEDIUM

Fix

Resolved

SM-7017 - SaFi-2022-8 BOFE Unexpected File Type Upload Done

High

6.7 MEDIUM

P2 - HIGH

Fix

Resolved

SAF-130 - SaFi-2022-9 SaFi Mobile Application Information Disclosure via Stack Trace Backlog

Low

2.2 LOW

P4 - MINOR

Plan

TBD

Remediation plan

SAF-142 - SaFi-2022-10 SaFi Mobile Application HTTP Headers And Cookies Best Practices Done

Low

1.9 LOW

P4 - MINOR

Plan

TBD

Remediation plan

SM-7068 - SaFi-2022-11 SaFi Mobile Application Lack Of Server Side Input Validation Done

Medium

5.3 MEDIUM

P3 - MEDIUM

Fix

Resolved

SM-7193 - SaFi-2022-12 BOFE Cross Origin Resource Sharing Misconfiguration Done

Low

2.7 LOW

P4 - MINOR

Plan

Resolved

SAF-890 - FE: SaFi-2022-13 BOFE Server Information Disclosure Blocker

Low

2.7 LOW

P4 - MINOR

Plan

TBD

Remediation plan

SM-7195 - SaFi-2022-14 SaFi Mobile Weak SSL / TLS Cipher Suites Supported Done

Low

2.8 LOW

P4 - MINOR

Fix

Resolved

SM-7196 - SaFi-2022-15 SaFi Mobile Backgrounded Application Displays Sensitive Information Done

Low

1.7 LOW

P4 - MINOR

Fix

Resolved

SM-7197 - SaFi-2022-16 SaFi Mobile Sensitive Information Stored in Memory To Do

Low

1.5 LOW

P4 - MINOR

Plan

TBD

Remediation plan

SM-7442 - SaFi-2022-17 SaFi Mobile Testing Unnecessary Permission Done

Low

1.6 LOW

P4 - MINOR

Fix

Resolved

SM-7441 - SaFi-2022-18 SaFi Mobile Janus Vulnerability Done

Low

1.6 LOW

P4 - MINOR

Fix

Resolved

SM-7440 - SaFi-2022-19 SaFi Mobile Sensitive Information Stored in Logs Resolved

Low

3.3 LOW

P4 - MINOR

Plan

Resolved
to be re-test

SM-7450 - SaFi-2022-20 SaFi Mobile Overlay Attacks To Do

Low

3.3 LOW

P4 - MINOR

Plan

TBD

Remediation plan

SM-7444 - SaFi-2022-21 SaFi Mobile Lack of Logout Functionality Done

Low

3.6 LOW

P4 - MINOR

Fix

Dec-15-2022

30-Nov-2022

SM-7446 - SaFi-2022-22 SaFi Mobile Sensitive Information Stored in Local Storage In Review

Low

3.3. LOW

P4 - MINOR

Plan

TBD

Remediation plan

SM-7447 - SaFi-2022-23 SaFi Mobile Lack of Root / Jailbreak Detection Done

Low

3.3 LOW

P4 - MINOR

Fix

Resolved

SM-7448 - SaFi-2022-24 SaFi Mobile Lack of SSL Certificate Pinning Done

Low

3.3 LOW

P4 - MINOR

Fix

Resolved

SM-7449 - SaFi-2022-25 SaFi Mobile Lack / Partial Obfuscation of Binary File Done

Low

3.3 LOW

P4 - MINOR

Plan

Resolved

SM-7451 - SaFi-2022-26 SaFi Mobile Information Stored in Local Storage Resolved

Low

1.4 LOW

P4 - MINOR

Plan

TBD

Remediation plan

Target Environment and Application Build Versions

  • Type: Black Box Security Testing

  • Environment: Staging

Initial Test Versions

  • SaFi Mobile App: 1.0.676 (677)

  • BOFE: 3034fce

Final Test Versions

  • SaFi Mobile App: 1.0.690+691 (691)

Known issues

Approvals

VAPT Report

Prepared by

Reviewed by

Approved by

Signature

Name

User b6b4a

User 863aa

Ion Mudreac

Role

Application Security Engineer

Project Management Officer

Chief Technology Officer

Date

Attachments:

Errors & Inquiry Encountered - AIG 10252022_2.pdf (application/pdf)
BOFE Access Matrix.xlsx (application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
image-20221107-083629.png (image/png)
image-20221116-031259.png (image/png)
Advance Intelligence Group_SaFI Back Office_VAPT Report_202210_1.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Report 11112022.pdf (application/pdf)
Advance Intelligence Group_SaFI Back Office_VAPT Report_202210_1.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Report 11112022.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Report 11112022.pdf (application/pdf)
Advance Intelligence Group_SaFI Back Office_VAPT Revalidation Report_202301_2.pdf (application/pdf)
AIG SaFi Mobile Application VAPT Revalidation Report 11112022_2.pdf (application/pdf)
EPFS VAPT Report Jan.16.2023.pdf (application/pdf)
EPFS VAPT Report Jan.23.2023.pdf (application/pdf)