mayank2k2
commented
7 years ago Work on point #1 and review the point # 2 and give your suggestions.
Open mayank2k2 opened 7 years ago
mayank2k2
commented
7 years ago Work on point #1 and review the point # 2 and give your suggestions.
VrandaNagar
commented
7 years ago Hi Mayank, Point #1: We need to set the field max length so as to limit the user to enter number of character . Please suggest if we can use the same max length limit as of database.
Point#2: Present password policy:
mayank2k2
commented
7 years ago Point#1: you are correct but why this has missed on input field validation. Point#2 : No action as of now.
VrandaNagar
commented
7 years ago Hi Mayank, Presently the maxlength is set as: Firstname: 100 Middle name : 50 Last Name :100 , similar to database. Please suggest if we want to reduce the maxlimit. Thanks! Vranda
mayank2k2
commented
7 years ago Do not make any change in DB, make the change in input field validation.
Thanks, Mayank Mishra
From: VrandaNagar [mailto:notifications@github.com] Sent: Tuesday, May 16, 2017 12:23 PM To: OUPMATH/OxfrodMaths_Prod OxfrodMaths_Prod@noreply.github.com Cc: MISHRA, Mayank Mayank.Mishra@oup.com; Author author@noreply.github.com Subject: Re: [OUPMATH/OxfrodMaths_Prod] 2. Security Issues in Oxford Math (#64)
Hi Mayank, Presently the maxlength is set as: Firstname: 100 Middle name : 50 Last Name :100 , similar to database. Please suggest if we want to reduce the maxlimit. Thanks! Vranda
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/OUPMATH/OxfrodMaths_Prod/issues/64#issuecomment-301692058, or mute the threadhttps://github.com/notifications/unsubscribe-auth/APfLWkO4EQDwPRloWZ_06ZaPusw0LzV0ks5r6UfIgaJpZM4NWI7K.
VrandaNagar
commented
7 years ago Hi Mayank, Presently the maxlength in UI is set as Firstname: 100 Middle name : 50 Last Name :100 (text box will not accept beyond the below limit in UI itself) Please let me know if want to decrease the maxlength in UI and what should be the new maximum character limit. Thanks! Vranda
VrandaNagar
commented
7 years ago Hi Mayank,
I have checked the max- character limit and it is already set in UI. Please see below:
Please Suggest.
Thanks! Vranda
As a result of testing the OWASP top 10 flaws on URL- http://www.uat.oxfordmaths.co.in today, the application was found to be certainly vulnerable to the following security issues, details of which can be seen below-
Security Testing focal points
1)While visiting profile of any user role all the three fields first name ,middle name and last name does not have any max character limit due to which an adversary can enter many random characters which further leads to damage of User interface of the application and due to which some of the components alignment get impacted. PFB the screencast for reference and steps to reproduce-
Screencast for reference :https://www.screencast.com/t/bTSEbjBsmT
Steps to reproduce: 1)Login using any one of credential 2)Click on profile 3)Enter random value's into mentioned fields 4)Save the input
Review the below point#2 and give your suggestions:
2)While changing the password for any user role it is found that the password policy information which indicates that user password should consist 1 uppercase,1special character,1 number and mini of 8 character but an adversary can create password without the inclusion of lower case letter .But as per the best password policy mechanism password should consist 1 uppercase,1 lowercase,1 special character, and minimum of 8 character . PFB the screencast and best practices for password policies for reference .
Screencast for reference :https://www.screencast.com/t/B8cjH2vgqN1z
The application password should accept the below mentioned criteria:
1) at least 1 Uppercase character (A-Z) 2) at least: 1 Lowercase character (a-z) 3) at least: 1 digit (0-9) 4) at least one special character (!"£$%&...) 5) a defined minimum length (8 chars) 6) should not be blank 7) Expire after 60-75 days 8) Should be masked with character like *
We shall continue to validate the above issues further and exploit other OWASP top 10 as well as business logic flaws and report our observations and findings daily.
Please let me know if you need more information.