search

BharatSahAIyak / kisai-bot

0 stars 0 forks source link

Audit fixes #544

Open tanishk2907 opened 1 month ago

tanishk2907 commented 1 month ago

Vulnerability report received on 25th sept - https://drive.google.com/file/d/1fkZjnFJVINg7s2zt-I6ChVarP7_Fm5GX/view?usp=drive_link

@rishabh-j-90 Can you pls assign folks and steps needed to fix these

S.No Issue Suggested fix status Owner
1 Excessive Data Exposure - http://103.203.137.130/bff/history/conversations Implement auth guard of this API. Implemented on dev - to be moved to stage @Amruth-Vamshi
2 Insecure Transmission - http://103.203.137.130/ https is not available @rishabh-j-90
3 Unencrypted Login Request - http://103.203.137.130/auth-service/org/login add encryption/decryption for request and response? copy encryption from user-service to auth-service @Amruth-Vamshi
4 Weak Password Policy - http://103.203.137.130/admin#/login Currently we do not let users to signup here so this is not needed @prtkjakhar
5 Insecure "OPTIONS" HTTP Method Enabled - http://103.203.137.130/auth-service/org/login same as 2 @rishabh-j-90
6 Inadequate Account Lockout - http://103.203.137.130/auth-service/org/login set this up at fusion auth settings and feedback in UI @Amruth-Vamshi
7 Concurrent login through different machine/IP - http://103.203.137.130/admin#/login this is intentional @rishabh-j-90
8 Copy-Paste Allowed in sensitive information input fields - http://103.203.137.130/admin#/login This restriction will make it hard to login as our passwords are quite strong and long. @prtkjakhar
9 Auto complete is Enabled - http://103.203.137.130/admin#/login disable in frontend (google password manage and copy paste) @prtkjakhar
10 Unnecessary Http Response Headers found - http://103.203.137.130/auth-service/org/login Configure your server to remove the default "Server" header from being sent to all outgoing requests. remove these headers @singhalkarun
11 Missing Permissions-Policy Header - http://103.203.137.130/admin Implement permission policies for admin APIs ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy @rishabh-j-90
rishabh-j-90 commented 1 month ago

@ChakshuGautam we can list suggested fixes here

rishabh-j-90 commented 3 weeks ago

  1. Remove fields in the response that are not needed on the frontend like IP, Phone number, location etc. Image

  2. Send an email explaining the situation

  3. , 4. Fixes seem fine

  4. Remove Access-Control-Allow_Methods header Image

  5. Fixes seem fine

  6. If it is a feature, send an email with an explanation 8., 9. ,10. Fixes seem fine Image

11 Clarify on mail that permissions like geolocation, microphone and camera are needed.

@singhalkarun @ChakshuGautam