Professional Documents
Culture Documents
ES/FTPL/202101/OR/C1/051834
Contents
Table 1: Evaluation Summary ......................................................................................... 3
1.0 Introduction ......................................................................................................... 4
2.0 Summary Observations ............................................................................................ 4
3.0 Security Issues as per OWASP ASVS .............................................................................. 5
3.1 Data & Input Validation ..................................................................................... 5
3.2 Authentication ............................................................................................... 5
3.3 Authorization & Access Control ............................................................................ 5
3.4 Session Management......................................................................................... 5
3.5 Error Handling ................................................................................................ 6
3.6 Use of Cryptography / Data Protection .................................................................. 6
3.7 Configuration Management ................................................................................. 6
3.8 Others.......................................................................................................... 6
4.0: Details of Vulnerabilities ......................................................................................... 7
Functional Issue ................................................................................................... 7
Data & Input Validation ......................................................................................... 7
Authentication .................................................................................................... 9
Session Management ............................................................................................. 9
Authorization & Access Control ................................................................................ 9
Configuration Management .................................................................................... 10
Appendix................................................................................................................. 12
1.0 Introduction
STQC IT Services, Kolkata has carried out security evaluation of the application as detailed in the
Table-1. The vulnerabilities/weaknesses observed during the testing along with the recommendations
to plug the vulnerabilities are given below. The observations indicate the status of the application
during the evaluation period (Ref. Table-1) only.
The application has been audited, following Open Web Application Security Project (OWASP)
Application Security Verification Standard 4.0 [ASVS v4.0], to discover Security vulnerabilities /
weaknesses. The assessment focused to discover the listed security vulnerabilities as per the OWASP
Top 10 - 2017 list. Discovery of typical security issues of an web application, related to, improper input
validation, insecure direct object reference, non-validated directs and forwards, Cross-Site
Scripting(XSS),Cross-Site Request Forgery(CSRF), Broken Authentication and Session Management (e.g.
weak passwords, weak session management), various injection flaws (like SQL injection, command
injection etc.), security mis-configurations, sensitive data exposure, missing or improper access control
etc. and also related to well-known platform and components, are attempted in this exercise.
The initial assessment observations have been shared as assessment report (as referred below). On
receipt of the confirmation of the closure of the reported issues, the assessment team will verify and
make final comment.
Disclaimer: This report is valid for the web application code in its present state only. Reassessment is
recommended for any change in the application code.
https://benchmark.enam.gov.in/web/training_feedback
0.2 Contact Us Though there is option for giving CAPTCHA in the Contact Us form, Functional issue
CAPTCHA is not returned in the form and therefore Contact Us form should be resolved.
cannot be submitted (Fig. 0.2.1):
https://benchmark.enam.gov.in/web/contact-us
0.3 Registration Form If Registration Form is filled up with proper Photo ID Type and Photo Functional issue
ID Number (Fig. 0.3.1), application still asks for proper photo id type should be resolved.
(Fig. 0.3.2):
https://benchmark.enam.gov.in/NAMV2/home/other_register.html
0.4 Trader Login In the login form, there is a separate link for Trader Login (Fig. 0.4.1) Functional issue
and this is linked to the production site (Fig. 0.4.2): should be resolved.
https://benchmark.enam.gov.in/NAMV2/faces/infrastructure/SLogin.j
sf
1.0 Data & Input Validation
1.1 Missing URL While viewing events, national and state events can be viewed with Whitelisting of
Validation /national and /state values passed in the URL (Fig. 1.1.1). events should be
done and application
If JavaScript is passed instead of above values, error is encountered should redirect to
due to disallowed characters (Fig. 1.1.2), but if ‘/’ character is the index page if any
encoded, application treats this as filename and Not Found response is other values are
returned (Fig. 1.1.3): given.
https://benchmark.enam.gov.in/web/events
1.2 Missing Server- In the Agmarknet dashboard, details of the selected commodity can be All user inputs and
side Validation viewed for the last 1 week as From Date in the calendar cannot be data in all forms
selected older than 7 days (Fig. 1.2.1). must be validated to
be of proper data
https://benchmark.enam.gov.in/web/dashboard/agmarknet type and within
range and should
On submission of the form, if POST parameter fromDate is also be validated in
manipulated with an old date (Fig. 1.2.2), previous records are also the server-side.
returned by the application (Fig. 1.2.3) as same validation has not
been implemented in the server-side:
https://benchmark.enam.gov.in/web/Agm_ctrl/trade_data_list
1.3a Missing Validation To view Break up of Stakeholders in e-Nam, State Name is selected All user inputs and
of Selection Lists from dropdown entries (Fig. 1.3.1). data in all forms
must be validated to
https://benchmark.enam.gov.in/web/dashboard/stakeholder-data be of proper data
type and within
On submission, POST parameter state_id is manipulated with out-of- range and should
https://benchmark.enam.gov.in/web/Ajax_ctrl/mandidetails_enum
1.3b Missing Validation To view state-wise trading data in e-Nam, State Name is selected from All user inputs and
of Selection Lists dropdown entries (Fig. 1.3.4). data in all forms
must be validated to
https://benchmark.enam.gov.in/web/dashboard/trade-data be of proper data
type and within
On submission, if POST parameter state_id is manipulated with range and should
negative out-of-range value (Fig. 1.3.5), application encounters also be validated in
internal server error (Fig. 1.3.6): the server-side.
https://benchmark.enam.gov.in/web/Ajax_ctrl/apmc_list
1.4 Data Type To view Agmarknet Price Dashboard, State, District, APMC and All user inputs and
Manipulation: Commodity are selected from dropdown entries (Fig. 1.4.1). data in all forms
Database Error must be validated to
If Refresh button is clicked without selecting any of the fields, if POST be of proper data
parameter stateName is appended with invalid characters (Fig. 1.4.2), type and within
database error occurs (Fig. 1.4.3): range and should
also be validated in
https://benchmark.enam.gov.in/web/dashboard/stakeholder-data the server-side.
1.5a Data Type To view Break up of Stakeholders in e-Nam, State Name is selected All user inputs and
Manipulation: from dropdown entries: data in all forms
Database Error must be validated to
https://benchmark.enam.gov.in/web/dashboard/stakeholder-data be of proper data
type and within
If data type of the POST parameter state_id is manipulated to array by range and should
appending with square brackets [] (Fig. 1.5.1), application encounters also be validated in
Internal Server Error due to database error (Fig. 1.5.2): the server-side.
https://benchmark.enam.gov.in/web/Ajax_ctrl/mandidetail_enam
1.5b Data Type While listing resources at (Fig. 1.5.3) All user inputs and
Manipulation: https://benchmark.enam.gov.in/web/dashboard/stakeholder-data, data in all forms
Database Error value passed in the POST parameter text is resources (Fig. 1.5.4). must be validated to
be of proper data
If data type of the POST parameter is manipulated to array by type and within
appending with square brackets [] (Fig. 1.5.5), application encounters range and should
Internal Server Error due to database error (Fig. 1.5.6): also be validated in
the server-side.
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/resour
ces
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/stakeh
olders-involved
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/aspira
tional-districts
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/enam-
mandi-status
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/elearn
ing-videos
1.6 SQL Injection in To view the eNam Mandis Trade Details, State, APMC and Commodity All user inputs and
Date Field are selected from the dropdown lists and From Date and To Date data in all forms
fields are selected from the calendar (Fig. 1.6.1). must be validated to
be of proper data
If POST request is intercepted and any of the fields, which are selected
from dropdown lists, is manipulated with JavaScript, application
returns status 500 (Fig. 1.6.4):
https://benchmark.enam.gov.in/web/Ajax_ctrl/apmc_list
1.7 Body Parameters In the Farmer’s Login Form, if valid credentials are given (Fig. 1.7.1) Body parameters
Accepted in and on submission of the form POST request is converted to GET should not be
Query request with body parameters converted to query parameters (Fig. accepted if these
1.7.2), user gets logged in successfully (Fig. 1.7.3): are sent in the query
string.
https://benchmark.enam.gov.in/NAMV2/faces/infrastructure/SLogin.j
sf
2.0 Authentication
2.1 Credential In the login form, there is form to update mobile number of the user Instead of disclosing
Recovery: (Fig. 2.1.1). email id, OTP to
Username If valid username is given, email address gets disclosed (Fig. 2.1.2) and current mobile
Enumeration usernames can be enumerated for which email address is auto-filled by number may be sent
the application. for the authenticity
of the user and then
While recovering password also, valid users can be enumerated if email link for updating
address of the user is returned (Fig. 2.1.3). mobile number or
Password Reset link
Usernames can be enumerated as: TS001M00001, TS006M00001, can be sent to the
TS014M00001, TS019M00001, TS029M00001, TS032M00001 etc. registered email
address.
However, application encounters gateway error while sending mobile
number to the mail address in both cases (Fig. 2.1.4):
https://benchmark.enam.gov.in/NAMV2/faces/infrastructure/SLogin.j
sf
3.0 Session Management
3.1 Missing Secure When GET request for https://benchmark.enam.gov.in is sent, session Secure attribute
Attribute of identifier ci_session is set with Set-Cookie directive with path and should be added to
Session Cookie HttpOnly attribute, but an encrypted session (SSL) is using a cookie all sensitive cookies.
without the "secure" attribute (Fig. 3.1.1):
https://benchmark.enam.gov.in/web/Ajax_ctrl/hooks_fun
4.0 Authorization & Access Control
4.1 Direct Access to While activating different submenus under a menu (Fig. 4.1.1), Access control
AJAX Control for application uses the following files. should be properly
Activating Menu But instead of redirecting to the respective page, if implemented.
/Ajax_ctrl/menu_activate/ folder is directly accessed, PHP error is
encountered (Fig. 4.1.2):
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/aspira
tional-districts
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/elearn
ing-videos
https://benchmark.enam.gov.in/web/Agm_ctrl/menu_activate/stakeh
olders-involved (Fig. 4.1.3, Fig. 4.1.4)
5.0 Configuration Management
5.1 Missing Response Version of Apache and PHP can be fingerprinted from the HTTP Web Server may be
Headers response header Server and X-Powered-By respectively and versions configured to
are Apache/2.4.6 and PHP/5.4.16 (Fig. 5.1.1). prevent information
leakage from these
All versions are vulnerable to reported security issues and should be headers of the HTTP
upgraded to the latest secure version: response.
Apache and PHP may
https://benchmark.enam.gov.in/web/ be upgraded to the
latest secure
version.
5.2 Missing Response In response to the following request, the server does not set following Security response
Headers HTTP response headers in order to prevent attacks: headers should be
configured properly.
Content-Security-Policy response header improves security of the
web-application against Cross-Site Scripting attacks by allowing
resources from the restricted parts according to the web-application
policy:
The HSTS Policy is communicated by the server to the user agent via a
HTTP response header field named "Strict-Transport-Security". HSTS
Policy specifies a period of time during which the user agent shall
access the server in only secure fashion.
Recommended value "Strict-Transport-Security: max-age=31536000;
includeSubDomains":
http://benchmark.enam.gov.in/web/
5.3 Phishing by The application is linked to the following external website using anchor The value ‘noopener
Navigating tags (<a>) along with the attributes ‘href’ and target="_blank" and noreferrer’ may be
Browser Tabs access to the linking pages are gained via window.opener object (Fig. added to the
5.3.1). Newly opened windows / tabs through normal hrefs with attribute ‘rel’, to all
target="_blank" can modify the value of window.opener.location and the outgoing links in
replace the parent webpage with some phishing page or execute some the web application.
JavaScript on the opener-page:
https://www.indiabudget.gov.in/budgetspeech.php
https://benchmark.enam.gov.in/web/
Appendix
Fig. 0.3.1: Registration form is filled up with proper Photo ID Type and Number
Fig. 1.1.1: National and State events can be viewed with /national and /state values passed in the URL
Fig. 1.1.2: Error occurs if JavaScript is passed in the URL instead of passing national / state
Fig. 1.1.3: If / is URL-encoded, application treats it as valid file and not found response is received
Fig. 1.3.1: Breakup of stakeholders for the selected state can be viewed
Fig. 1.3.5: POST parameter state_id is manipulated with negative out-of-range value
Fig. 1.5.1: Data type of the POST parameter state_id is manipulated to array
Fig. 1.5.5: Data type of the POST parameter text is manipulated to array
Fig. 1.5.7: Data type of the POST parameter text is manipulated to array
Fig. 1.6.1: State, APMC and Commodity are selected from dropdown lists
Fig. 1.7.2: POST method with body parameters is converted to GET with query parameters