Penetration Testing

[ratheesh-kr]

Do Penetration Testing in TechDB devl and stage environments and solve the issues detected.

[anoopvarma-2000-p]

Possible SQL Injection

Risk Rating: CRITICAL

PR Link for the fixes

Affected URLs GET Requests: ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/cron_job_details.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_needs_attention.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_needs_attention_details/qe_name/healthix.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_patient_screening_questions_answers/hub_interaction_id/8063f4f9-3dc5-4076-8999-0ddebe675d87/patient_mrn/healthix-20240920-testcase404-MRN.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_screening_info.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_session_diagnostics.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_validation_issue.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_fhir_request.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request_forward_failure.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request_payload/interaction_id/819a8445-1c36-45e9-ae81-e230a39c8c1a.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request_summary.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request_summary_details/tenant_id_lower/healthix/client_ip_address/74.201.253.244.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_observe.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_sftp.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_user_details/user_session/407B3ABBEA73A65AC5342AF44A0B6AB8.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_user_list.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/islm_migration_state.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/orch_session_diagnostics.json ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/orch_session_diagnostics_rejection.json POST Requests: ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/cron_job_details.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_needs_attention.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_screening_info.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_screening_info.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_session_diagnostics.js on [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/fhir_validation_issue.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_fhir_reque st.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request.js on [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request_f orward_failure.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_http_request_summary.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_observe.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_sftp.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/interaction_user_list.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/islm_migration_state.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/orch_session_diagnostics.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"] ● https://phi.hub.qa.techbd.org/api/ux/tabular/jooq/techbd_udi_ingress/orch_session_diagnostics_rejection.json [Parameters - "startRow", "endRow", "rowGroupCols", "valueCols":, "pivotCols", pivotMode", "groupKeys", "filterModel", "sortModel", "sort": "desc", "colId"]

[anoopvarma-2000-p]

Cross Site Scripting (Reflected XSS)

Risk Rating: HIGH

PR Link for the fixes

Affected URLs

• https://phi.hub.qa.techbd.org/docs/techbd-hub/resource/content/docs/1115-hub/fhir-services/api.mdejgrl%3cscript%3ealert(1)%3c/script%3eguhhy
• https://phi.hub.qa.techbd.org/docs/techbd-hub/resource/content/docsusslq%3cscript%3ealert(1)%3c/script%3eb6e9q/1115-hub/fhir-services/api.md
• https://phi.hub.qa.techbd.org/docs/techbd-hub/resource/content/docs/1115-hubo6lk0%3cscript%3ealert(1)%3c/script%3ebz9e3/fhir-services/api.md
• https://phi.hub.qa.techbd.org/docs/techbd-hub/resource/content/docs/1115-hub/fhir-servicesf8a57%3cscript%3ealert(1)%3c/script%3efzwgx/api.md
• https://phi.hub.qa.techbd.org/docs/techbd-hub/resource/content/docs/techbd-intro.mdpyrl0%3cscript%3ealert(1)%3c/script%3ea8upa
• https://phi.hub.qa.techbd.org/docs/techbd-hub/resource/content/docsv69d6%3cscript%3ealert(1)%3c/script%3eirtg8/techbd-intro.md

[anoopvarma-2000-p]

Cookie Found Without 'Secure' Flag

Risk Rating : LOW

PR link for the fixes

[anoopvarma-2000-p]

HTTP Strict Transport Security (HSTS) Policy Not Enabled

Risk Rating: MEDIUM

PR link for the fix