Vulnerability Report Https Enam - Gov.in May 2023

Web-Application Penetration Testing Report
For
Website URL: https://enam.gov.in
Date: 19 May 2023
Confidential Report, not to be circulated or reproduced without appropriate authorization.
Contact Us:
011-2430-5877
Application Security Audits and Assessment Division
011-2430-5142
(Application Security Group)
011-2430-5934
National Informatics Centre
011-2430-5215
A – Block, CGO Complex, Lodhi Road
New Delhi - 110003
Contributions:
Name Role
Mrs. Alka Upadhyay

1. Mr. Pradeep Kumar Reviewer
Mrs. Manisha Duevedi
2. Mr. Rajesh Mishra HOD
3. Mr. V.T.V. Ramana HOG
This document is confidential to ASG-NIC. It must not be reproduced or circulated without prior approval from ASG-
NIC.
Page |2
Key Findings
1. SQL Injection
2. Misconfigured Cookie Attributes
3. Vulnerable and Outdated Components
4. NO/Weak CAPTCHA
5. Email Harvesting
6. Aadhar Number is in Plain Text
7. Clear-Text Submission of Password
8. Open File Upload
9. Misconfigured CORS
10. Host Header Attack
11. Domain Access via IP Address
Observations
NIC.
Page |3
1. SQL Injection
Incident URL: https://enam.gov.in/web/weather_forecast
Description: SQL injection is a type of attack in which an attacker injects malicious SQL query into a
web application's input fields to gain unauthorized access to a database. The application constructs all
or part of an SQL command/query using externally influenced input, but it does not neutralize or
incorrectly neutralizes special elements that could modify the intended SQL command/query.
Impact: SQL injection can compromise the confidentiality and integrity of the application data. If poor
SQL commands are used to check usernames and passwords, it may also lead to authentication bypass
and account takeover. An attacker with enough privileges can view, modify, or delete data stored in
the database, potentially leading to a data breach.
Severity: High
How to Test:
Step I: Open the URL: https://enam.gov.in/web/weather_forecast and select the state and
APMC’s as shown in the snapshot given below.
NIC.
Page |4
Step II: Now intercept the above request and observe that no data has been fetched. Now insert the
single quote (‘‘‘), observe the SQL error as shown in the snapshot given below.
NIC.
Page |5
Step III: Now check with Boolean expression “’+or+’1’=’1 “, we can fetch the data for the same.
The application is vulnerable to Boolean based SQL injection as shown in the snapshot given below.
Recommendation(s):
1. Do not dynamically construct and execute query strings instead use prepared statements or
parameterized queries.
2. Grant the database user minimum privileges that are required to accomplish the tasks.
NIC.
Page |6
2. Misconfigured Cookie Attributes
Incident URL: https://enam.gov.in/web/weather_forecast
Description: Cookies are widely used to store information on the client-side, but if the attributes such
as path (define the scope of the cookie), HttpOnly, Secure, and SameSite are not configured correctly,
it can lead to several risks based on the level of exploitation.
Impact: Misconfigured cookie attributes such as path, HttpOnly, Secure, and SameSite can pose
significant security risks, including unauthorized access to sensitive information, cookie hijacking,
transmitting sensitive data over unencrypted connections, cross-site scripting, and partial cross-site
request forgery attacks.
Severity: Low
How to Test:
Step I: Open the above incident URL and observe that cookie attributes were misconfigured as shown
in the snapshot given below.
NIC.
Page |7
Recommendation(s):
1. The secure flag should be set on all cookies, The "secure" flag instructs the browser to only transmit
the cookies over a secure connection (HTTPS). This can help prevent man-in-the-middle (MITM)
attacks by preventing an attacker from intercepting the cookie and using it to impersonate the user.
2. The httponly flag should be on all cookies, The "HttpOnly" attribute marks the cookie as accessible
only to the server and not to client-side scripts. This can help prevent cross-site scripting (XSS)
attacks by preventing an attacker from stealing the cookie by injecting malicious script into the web
page.
3. Set Path Cookie attribute, ‘Path’ should not set to root Instead a sub folder path should be used.
{for an example path=/(foldername)}.
4. The "SameSite" attribute controls whether a cookie should be sent with cross-site requests. This
can help prevent cross-site request forgery (CSRF) attacks by preventing an attacker from stealing
the cookie.
• Lax: In this mode, the cookie will only be sent with a top-level get request.
• Strict: In this mode, the cookie will not be sent with any cross-site usage even if the user
follows a link to another application.
NIC.
Page |8
3. Vulnerable and Outdated Components
Incident URLs:
• https://code.jquery.com/ui/1.11.4/jquery-ui.js
• https://enam.gov.in/web/assest/js/jquery.min.js
• https://enam.gov.in/web/rems/js/angular.min.js
• https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.9.1/underscore-min.js
• https://enam.gov.in/analytics/static/appbuilder/js/bootstrap.min.js
• https://enam.gov.in/analytics/static/assets/vendors.57b36d6e3a2ad4b369c5.entry.js
Description: The application is using vulnerable version of jQuery (1.12.2), moment.js (2.29.2) and
Bootstrap (3.4.1), jQuery-ui(1.11.4), underscore.js(1.9.1) and angular.js(1.5.5).
Impact: The full range of weaknesses is possible, including injection, broken access control, XSS, etc.
The impact could be minimal, up to complete host takeover and data compromise.
Severity: Low
How to Test:
Step I: Open the above incident URL and observe that outdated version of of jQuery (1.12.2),
moment.js (2.29.2) and Bootstrap (3.4.1), jQuery-ui(1.11.4), underscore.js(1.9.1) and
angular.js(1.5.5) is being used as shown in the snapshots given below:
NIC.
Page |9
NIC.
P a g e | 10
NIC.
P a g e | 11
Recommendation(s):
1. Upgrade the components used to the latest version.
2. If upgradation is not possible, download the security patches and hide the version details.
NIC.
P a g e | 12
4. NO/Weak CAPTCHA
Incident URLs:
• https://enam.gov.in/NAMV2/home/other_register.html
• https://enam.gov.in/NAMV2/faces/infrastructure/SLogin.jsf
Description: CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans
Apart") is a type of challenge-response test used by many web applications to ensure that the response
is not generated by a computer. A NO/weak CAPTCHA is one that can be easily bypassed by automated
scripts or bots. This can happen if the CAPTCHA is not properly randomized, or if the image or text is
of low quality and can be easily read by an OCR (Optical Character Recognition) program.
Impact: An attacker could perform an arbitrary number of authentication attempts using different
passwords, and eventually gain access to the targeted account.
Severity: Low
How to Test:
Step I: Open the above incident URL and observe that CAPTCHA is not 6 digit and alphanumeric as
shown in the snapshot given below.
NIC.
P a g e | 13
Step II: Open the URL “https://enam.gov.in/analytics/login”, NO CAPTCHA on login page as
CASE II: It has been observed that captcha of 5 digits is being used in application as shown in the
screenshot below:
NIC.
P a g e | 14
Recommendation(s):
1. It is recommended to implement CAPTCHA on publicly available forms.
2. CAPTCHA must be alphanumeric and a minimum of 6 characters long.
CAPTCHA Specifications:
• CAPTCHA should be of 6 characters alphanumeric in length.
• CAPTCHA should be case-sensitive.
• CAPTCHA should be image-based.
• CAPTCHA should be randomly generated from the server and not from the client side.
• After each incorrect user credential, the server should return Login page with a new
CAPTCHA.
NIC.
P a g e | 15
5. Email Harvesting
Incident URLs:
• https://enam.gov.in/web/Privacy-Policy
• https://enam.gov.in/web/all_news_desc
Description: An attacker can send SPAM mail to the application by using Email Harvester. The email
harvesters are programs that scour the internet looking for email addresses on any website they come
across.
Impact: Unnecessary or excessive disclosure of email addresses may also lead to an increase in the
volume of spam email received.
Severity: Low
How to Test:
Step I: An attacker navigates to the application and observes the email is not in standard format as
shown below.
NIC.
P a g e | 16
Recommendation(s):
1. Email addresses should be posted as an image not as a hyperlink. Alternatively, instead of @symbol,
[at] should be used. Similarly, the dot character (.) should be replaced by [dot]. For example,
xyz@gma.com should be written as xyz[at]gma[dot]com.
2. High privilege email addresses should not be posted on the website.
3. Email addresses should not be provided as a hyperlink, for example, mailto:xyz[at]gma[dot]com.
NIC.
P a g e | 17
6. Aadhar Number is in Plain Text
Incident URL: https://enam.gov.in/web/Enam_ctrl/enam_registration
Description: UID number is treated as highly sensitive information and it should not be leaked at
any endpoint and must not be kept longer than it is required. The attacker can steal the UID numbers
at endpoints and can use them for any personal use.
Impact: Can cause sever data leakage and affects Confidentiality.
Severity: Low
How to Test:
Step I: Open the above incident URL and fill in the form and observe that Aadhar number is travelling
in plain text as shown in the snapshot given below.
NIC.
P a g e | 18
Recommendation(s):
1. As per the Aadhaar Act and Regulations by UIDAI, Aadhaar number must not be stored in the
database/files without the consent of the user. If the application requires to store Aadhaar number
in permanent storage, Aadhaar seeding process must be followed.
2. Permanent storages for further delivery of services, Aadhaar seeding process must be followed.
3. Aadhaar number should be used as per the Aadhaar Act and Regulations.
NIC.
P a g e | 19
7. Clear-Text Submission of Password
Incident URL: https://enam.gov.in/NAMV2/faces/infrastructure/SLogin.jsf
Description: The application transmit password in cleartext format over HTTP which is an unencrypted
connection.
Impact: This vulnerability can result in compromise of users' account and data via MITM attacks.
Severity: Low
How to Test:
Step II: Open the above incident URL and capture the http request. It has been observed that
password is in plain as shown in the snapshot given below.
NIC.
P a g e | 20
Recommendation(s):
1. Implement salted SHA-256 or salted SHA-512 hashing algorithms on password fields, while using
plain SHA-256 or SHA-512 hashing on new password fields.
NIC.
P a g e | 21
8. Open File Upload
Description: Open File Upload, the issues arises when the web application allow users to upload the
file openly without any restriction this can allow an attacker to upload a file that contains malicious
code.
Impact: One of the most common impacts of a malicious file upload vulnerability is the ability for an
attacker to execute arbitrary code on the affected system. This can be used to install malware, create
a backdoor, or even take full control of the affected system.
Severity: Low
How to Test:
Step I: Open the above incident URL and observe the file upload functionality is on public page as
Recommendation(s):
1. Application should not allow the public to upload files directly without any restriction.
NIC.
P a g e | 22
2. Assign only Read and Write permissions to the upload folders as required.
NIC.
P a g e | 23
9. Misconfigured CORS
Incident URL: https://enam.gov.in/pop/rest/get_combine_demand_data
Description: Many modern websites use CORS to allow access from subdomains and trusted third
parties. Their implementation of CORS may contain mistakes or be overly lenient to ensure that
everything works, and this can result in exploitable vulnerabilities.
Impact: A CORS misconfiguration can leave the application at a high-risk of compromise resulting in
an impact on the confidentiality and integrity of data by allowing third-party sites to carry out privileged
requests through your web site’s authenticated users such as retrieving user setting information, etc.
Severity: Low
How to Test:
Step I: During analysis of HTTP requests for the website. We observe that CORS was not implemented
properly as shown in the snapshot given below.
NIC.
P a g e | 24
Recommendation(s):
1. It Recommended that the header ‘Access-Control-Allow-Origin’ should not be set to * if the resource
contains sensitive information. Configure the Access-Control-Allow-Origin header to allow requests
only from the domains that you trust.
2. If a web resource contains sensitive information, the origin should be properly specified in the
Access-Control-Allow-Origin header.
3. Avoid using the header Access-Control-Allow-Origin: null
4. Don’t rely only on the Origin header for Access Control checks. Browsers always send this header in
CORS requests, but it may be spoofed outside the browser.
NIC.
P a g e | 25
10. Host Header Attack
Incident URL: https://enam.gov.in/web/assest
Description: A host header attack, also known as a HTTP Host header injection or a web server domain
name hijacking attack, is a type of web application vulnerability that allows an attacker to manipulate
the host header in a HTTP request to direct the request to a different website.
Impact: The two major attack vectors host header attacks enable are web-cache poisoning, and abuses
of alternative channels for conducting sensitive operations, such as password resets.
Severity: Low
How to Test:
Step I: An attacker navigates the application and captures any http request, having response of
301/302. Observe the Host as shown in the snapshot given below.
NIC.
P a g e | 26
Step II: Now modify the host and it is observed that redirects to bing,com as shown in the snapshot
given below.
Recommendation(s):
1. It is recommended to implement a whitelist of trusted domains and validate the host header at the
server end.
2. Set the base URL of the application.
3. Reject any request that doesn’t match the target domain.
4. Disable the support for X-Forwarded-Host header.
NIC.
P a g e | 27
11. Domain Access via IP Address
Incident URL: https://enam.gov.in
Description: If a website is accessible with both an IP address and a domain name, it may expose the
website to certain vulnerabilities. One such vulnerability is DNS spoofing, where an attacker can
manipulate DNS records to redirect traffic to a malicious website. This can allow the attacker to steal
sensitive information such as login credentials, financial information, or personal data.
Impact: The impact of these vulnerabilities can be significant, as attackers can gain unauthorized
access to sensitive data, compromise user accounts, and launch further attacks on the website or its
users
Severity: Low
How to Test:
Step I: It has been observed that https://enam.gov.in is accessible via IP address as shown in the
snapshot given below.
NIC.
P a g e | 28
Recommendation(s):
1. Disable access via IP address to the website and redirect all traffic to the domain name instead. This
can be achieved through configuration changes on the web server or using a web application firewall.
Observations
Case I: Register functionality not working and observed that password is sending on mail.
Step I: Open the above URL and perform an action as shown below.
Recommendation(s):
1. After proper functional of registration page, Password should not be sent on email. Send any
verification link to respective mail with password setup mechanism.
NIC.
P a g e | 29
CASE II: Open the URL https://enam.gov.in/NAMV2/faces/infrastructure/SLogin.jsf now click on
update mobile number it has been observed that the functionality is not working properly as shown in
the screenshot below:
NIC.
P a g e | 30
Note: Vulnerabilities should be patched throughout the website.
NIC.
P a g e | 31

Vulnerability Report Https Enam - Gov.in May 2023

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vulnerability Report Https Enam - Gov.in May 2023

Uploaded by

Copyright:

Available Formats

Web-Application Penetration Testing Report

Website URL: https://enam.gov.in

Date: 19 May 2023

Confidential Report, not to be circulated or reproduced without appropriate authorization.

Mrs. Alka Upadhyay

2. Mr. Rajesh Mishra HOD

3. Mr. V.T.V. Ramana HOG

1. Upgrade the components used to the latest version.

1. It is recommended to implement CAPTCHA on publicly available forms.

2. CAPTCHA must be alphanumeric and a minimum of 6 characters long.

• CAPTCHA should be of 6 characters alphanumeric in length.

• CAPTCHA should be case-sensitive.

• CAPTCHA should be image-based.

2. High privilege email addresses should not be posted on the website.

3. Email addresses should not be provided as a hyperlink, for example, mailto:xyz[at]gma[dot]com.

Impact: Can cause sever data leakage and affects Confidentiality.

3. Avoid using the header Access-Control-Allow-Origin: null

2. Set the base URL of the application.

3. Reject any request that doesn’t match the target domain.

4. Disable the support for X-Forwarded-Host header.

Incident URL: https://enam.gov.in/web/Enam_ctrl/enam_registration

You might also like