Report No.

ES/FTPL/202101/OR/C1/051834

Web Application Assessment Report

National Agriculture Market (e-NAM) Application
Ministry of Agriculture & Farmers’Welfare
Room No. 439H, Krishi Bhawan
New Delhi - 110001
Developed by
Farmgate Technologies Pvt. Ltd.

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 1 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Contents
Table 1: Evaluation Summary ......................................................................................... 3
1.0 Introduction ......................................................................................................... 4
2.0 Summary Observations ............................................................................................ 4
3.0 Security Issues as per OWASP ASVS .............................................................................. 5
3.1 Data & Input Validation ..................................................................................... 5
3.2 Authentication ............................................................................................... 5
3.3 Authorization & Access Control ............................................................................ 5
3.4 Session Management......................................................................................... 5
3.5 Error Handling ................................................................................................ 6
3.6 Use of Cryptography / Data Protection .................................................................. 6
3.7 Configuration Management ................................................................................. 6
3.8 Others.......................................................................................................... 6
4.0: Details of Vulnerabilities ......................................................................................... 7
Functional Issue ................................................................................................... 7
Data & Input Validation ......................................................................................... 7
Authentication .................................................................................................... 9
Session Management ............................................................................................. 9
Authorization & Access Control ................................................................................ 9
Configuration Management .................................................................................... 10
Appendix................................................................................................................. 12

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 2 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Table 1: Evaluation Summary

Application Details Name: e-NAM application
Version & Build:
Release Date: Not available
Customer Name and Address Ministry of Agriculture & Farmers’ Welfare
Room No. 439H, Krishi Bhawan
New Delhi - 110001
Production URL https://www.enam.gov.in
Test / Temporary URL https://benchmark.enam.gov.in
Infrastructure Details Operating System : Linux/7.9
Web Server : Apache/2.4.6
Server-side Script : PHP/5.4.16
Database Server : MySQL/5.4.5
Framework Used : Oracle Application Development
Framework (ADF)
User Roles 1. Farmer
2. Trader
3. Mandi
Hash of Final Build Not Available
Audited on 1st April 2021 to 23rd April 2021 (Assessment Period)
Audit Location STQC IT Services, Kolkata
Evaluation Method Different software testing techniques (both manually and using
tools) has been used to unearth application security
vulnerabilities, weaknesses in the following broad application
aspects.
a) Data and Input Validation
b) Authentication
c) Authorization and Access Control
d) Session Management
e) Error Handling
f) Use of Cryptography / Data Protection
g) Others
(Reference Operating Procedure of the laboratory: OP09 )
Evaluated By Arup Datta, Scientist ‘C’
Amrita Som, SO ‘SB’
Report Prepared By Arpita Datta, Scientist ‘E’

Report Reviewed By Subhendu Das, Scientist ‘G’

Head, e-Security

Report Sent on 29th April 2021

Other Remarks This assessment result presents the state of security of the web
application as it appears through its web interface and does not
include the assessment result of application code review,
hosting infrastructure and associated security processes.
The report presents the findings of the audit during the audit
period only.

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 3 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

1.0 Introduction
STQC IT Services, Kolkata has carried out security evaluation of the application as detailed in the
Table-1. The vulnerabilities/weaknesses observed during the testing along with the recommendations
to plug the vulnerabilities are given below. The observations indicate the status of the application
during the evaluation period (Ref. Table-1) only.

2.0 Summary Observations

The audit was conducted on the e-NAM application, hosted in the test environment,by using automated
tools followed by manual verification of discovered security vulnerabilities.

The application has been audited, following Open Web Application Security Project (OWASP)
Application Security Verification Standard 4.0 [ASVS v4.0], to discover Security vulnerabilities /
weaknesses. The assessment focused to discover the listed security vulnerabilities as per the OWASP
Top 10 - 2017 list. Discovery of typical security issues of an web application, related to, improper input
validation, insecure direct object reference, non-validated directs and forwards, Cross-Site
Scripting(XSS),Cross-Site Request Forgery(CSRF), Broken Authentication and Session Management (e.g.
weak passwords, weak session management), various injection flaws (like SQL injection, command
injection etc.), security mis-configurations, sensitive data exposure, missing or improper access control
etc. and also related to well-known platform and components, are attempted in this exercise.

The initial assessment observations have been shared as assessment report (as referred below). On
receipt of the confirmation of the closure of the reported issues, the assessment team will verify and
make final comment.

Ref.-1: Assessment report: Report No. ES/FTPL/202101/OR/C1/051834

Disclaimer: This report is valid for the web application code in its present state only. Reassessment is
recommended for any change in the application code.

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 4 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

3.0 Security Issues as per OWASP ASVS

SN Test/Parameter Observation Remarks
3.1 Data & Input Validation
3.1.1 Input Validation Vulnerabilities are observed during Not Complied.
assessment.
3.1.2 Sanitization and Vulnerabilities are observed during Not Complied.
sandboxing assessment.
3.1.3 Output encoding No issues are found during audit. Complied.
and Injection
Prevention
3.1.4 Deserialization Such option is not available in the Not applicable.
Prevention application
3.1.5 File Upload Such option is not available in the Not applicable.
application
3.1.6 File execution Such option is not available in the Not applicable.
application
3.1.7 File Storage Such option is not available in the Not applicable.
application
3.1.8 File Download No issues are found during audit. Complied.
3.2 Authentication
3.2.1 Password Security No issues are found during audit. Complied.
3.2.2 General No issues are found during audit. Complied.
Authenticator
3.2.3 Authenticator No issues are found during audit. Complied.
Lifecycle
3.2.4 Credential Recovery Vulnerabilities are observed during Not Complied.
assessment.
3.2.5 Out of Band Verifier No issues are found during audit. Complied.
3.2.6 Single or Multi Such option is not available in the Not applicable.
Factor One Time application
Verifier
3.3 Authorization & Access Control
3.3.1 General Access No issues are found during audit. Complied.
Control Design
3.3.2 Operation Level No issues are found during audit. Complied.
Access Control
3.3.3 Other Access Vulnerabilities are observed during Not Complied.
Control assessment.
Considerations
3.4 Session Management
3.4.1 Fundamental Vulnerabilities are observed during Not Complied.
Session Management assessment.
3.4.2 Session Binding No issues are found during audit. Complied.
3.4.3 Session Logout and No issues are found during audit. Complied.
Timeout
3.4.4 Cookie-based No issues are found during audit. Complied.
Session Management
3.4.5 Defences against No issues are found during audit. Complied.
Session Management
Exploits

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 5 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

3.5 Error Handling

3.5.1 Log Content Such option is not available in the Not applicable.
Requirements application.
3.5.2 Error Handling No issues are found during audit. Complied.
3.6 Use of Cryptography / Data Protection
3.6.1 Algorithm No issues are found during audit. Complied.
3.6.2 Client-side Data No issues are found during audit. Complied.
Protection
3.6.3 Sensitive Private No issues are found during audit. Complied.
Data
3.6.4 Communications No issues are found during audit. Complied.
Security
3.6.5 Deployed Vulnerabilities are observed during Not Complied.
Application Integrity assessment.
Controls
3.7 Configuration Management
3.7.1 Dependency No issues are found during audit. Complied.
3.7.2 Unintended Security No issues are found during audit. Complied.
Disclosure
3.7.3 HTTP Security Vulnerabilities are observed during Not Complied.
Headers assessment.
3.7.4 Validate HTTP No issues are found during audit. Complied.
Request Header
3.8 Others
3.8.1 Business Logic Such option is not available in the Not applicable.
Security application
3.8.2 SSRF Protection No issues are found during audit. Complied.

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 6 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

4.0: Details of Vulnerabilities

Sl. Web Observation Remarks /
No Application Recommendation
Vulnerabilities
0.0 Functional Issue
0.1 Training If Training Feedback form, in which CAPTCHA is missing, is filled up Functional issue
Feedback with valid inputs and proper ratings are given (Fig. 0.1.1), PHP error should be resolved.
encounters on submission of the feedback form (Fig. 0.1.2). All entry forms
should be CAPTCHA-
Moreover, private IP address (192.168.1.232) is disclosed in the source enabled.
code (Fig. 0.1.3):

https://benchmark.enam.gov.in/web/training_feedback
0.2 Contact Us Though there is option for giving CAPTCHA in the Contact Us form, Functional issue
CAPTCHA is not returned in the form and therefore Contact Us form should be resolved.
cannot be submitted (Fig. 0.2.1):

https://benchmark.enam.gov.in/web/contact-us
0.3 Registration Form If Registration Form is filled up with proper Photo ID Type and Photo Functional issue
ID Number (Fig. 0.3.1), application still asks for proper photo id type should be resolved.
(Fig. 0.3.2):

https://benchmark.enam.gov.in/NAMV2/home/other_register.html
0.4 Trader Login In the login form, there is a separate link for Trader Login (Fig. 0.4.1) Functional issue
and this is linked to the production site (Fig. 0.4.2): should be resolved.

https://benchmark.enam.gov.in/NAMV2/faces/infrastructure/SLogin.j
sf
1.0 Data & Input Validation
1.1 Missing URL While viewing events, national and state events can be viewed with Whitelisting of
Validation /national and /state values passed in the URL (Fig. 1.1.1). events should be
done and application
If JavaScript is passed instead of above values, error is encountered should redirect to
due to disallowed characters (Fig. 1.1.2), but if ‘/’ character is the index page if any
encoded, application treats this as filename and Not Found response is other values are
returned (Fig. 1.1.3): given.

https://benchmark.enam.gov.in/web/events
1.2 Missing Server- In the Agmarknet dashboard, details of the selected commodity can be All user inputs and
side Validation viewed for the last 1 week as From Date in the calendar cannot be data in all forms
selected older than 7 days (Fig. 1.2.1). must be validated to
be of proper data
https://benchmark.enam.gov.in/web/dashboard/agmarknet type and within
range and should
On submission of the form, if POST parameter fromDate is also be validated in
manipulated with an old date (Fig. 1.2.2), previous records are also the server-side.
returned by the application (Fig. 1.2.3) as same validation has not
been implemented in the server-side:

https://benchmark.enam.gov.in/web/Agm_ctrl/trade_data_list
1.3a Missing Validation To view Break up of Stakeholders in e-Nam, State Name is selected All user inputs and
of Selection Lists from dropdown entries (Fig. 1.3.1). data in all forms
must be validated to
https://benchmark.enam.gov.in/web/dashboard/stakeholder-data be of proper data
type and within
On submission, POST parameter state_id is manipulated with out-of- range and should

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 7 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Sl. Web Observation Remarks /

No Application Recommendation
Vulnerabilities
range value (Fig. 1.3.2), application encounters internal server error also be validated in
(Fig. 1.3.3). the server-side.

https://benchmark.enam.gov.in/web/Ajax_ctrl/mandidetails_enum
1.3b Missing Validation To view state-wise trading data in e-Nam, State Name is selected from All user inputs and
of Selection Lists dropdown entries (Fig. 1.3.4). data in all forms
must be validated to
https://benchmark.enam.gov.in/web/dashboard/trade-data be of proper data
type and within
On submission, if POST parameter state_id is manipulated with range and should
negative out-of-range value (Fig. 1.3.5), application encounters also be validated in
internal server error (Fig. 1.3.6): the server-side.

https://benchmark.enam.gov.in/web/Ajax_ctrl/apmc_list
1.4 Data Type To view Agmarknet Price Dashboard, State, District, APMC and All user inputs and
Manipulation: Commodity are selected from dropdown entries (Fig. 1.4.1). data in all forms
Database Error must be validated to
If Refresh button is clicked without selecting any of the fields, if POST be of proper data
parameter stateName is appended with invalid characters (Fig. 1.4.2), type and within
database error occurs (Fig. 1.4.3): range and should
also be validated in
https://benchmark.enam.gov.in/web/dashboard/stakeholder-data the server-side.
1.5a Data Type To view Break up of Stakeholders in e-Nam, State Name is selected All user inputs and
Manipulation: from dropdown entries: data in all forms
Database Error must be validated to
https://benchmark.enam.gov.in/web/dashboard/stakeholder-data be of proper data
type and within
If data type of the POST parameter state_id is manipulated to array by range and should
appending with square brackets [] (Fig. 1.5.1), application encounters also be validated in
Internal Server Error due to database error (Fig. 1.5.2): the server-side.

https://benchmark.enam.gov.in/web/Ajax_ctrl/mandidetail_enam
1.5b Data Type While listing resources at (Fig. 1.5.3) All user inputs and
Manipulation: https://benchmark.enam.gov.in/web/dashboard/stakeholder-data, data in all forms
Database Error value passed in the POST parameter text is resources (Fig. 1.5.4). must be validated to
be of proper data
If data type of the POST parameter is manipulated to array by type and within
appending with square brackets [] (Fig. 1.5.5), application encounters range and should
Internal Server Error due to database error (Fig. 1.5.6): also be validated in
the server-side.
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/resour
ces
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/stakeh
olders-involved
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/aspira
tional-districts
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/enam-
mandi-status
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/elearn
ing-videos
1.6 SQL Injection in To view the eNam Mandis Trade Details, State, APMC and Commodity All user inputs and
Date Field are selected from the dropdown lists and From Date and To Date data in all forms
fields are selected from the calendar (Fig. 1.6.1). must be validated to
be of proper data

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 8 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Sl. Web Observation Remarks /

No Application Recommendation
Vulnerabilities
https://benchmark.enam.gov.in/web/dashboard/trade-data type and within
range and should
If POST request is intercepted and SQL Injection is attempted in the also be validated in
POST parameter fromDate (Fig. 1.6.2), application returns all records the server-side.
for the selected commodity (Fig. 1.6.3).

If POST request is intercepted and any of the fields, which are selected
from dropdown lists, is manipulated with JavaScript, application
returns status 500 (Fig. 1.6.4):

https://benchmark.enam.gov.in/web/Ajax_ctrl/apmc_list
1.7 Body Parameters In the Farmer’s Login Form, if valid credentials are given (Fig. 1.7.1) Body parameters
Accepted in and on submission of the form POST request is converted to GET should not be
Query request with body parameters converted to query parameters (Fig. accepted if these
1.7.2), user gets logged in successfully (Fig. 1.7.3): are sent in the query
string.
https://benchmark.enam.gov.in/NAMV2/faces/infrastructure/SLogin.j
sf
2.0 Authentication
2.1 Credential In the login form, there is form to update mobile number of the user Instead of disclosing
Recovery: (Fig. 2.1.1). email id, OTP to
Username If valid username is given, email address gets disclosed (Fig. 2.1.2) and current mobile
Enumeration usernames can be enumerated for which email address is auto-filled by number may be sent
the application. for the authenticity
of the user and then
While recovering password also, valid users can be enumerated if email link for updating
address of the user is returned (Fig. 2.1.3). mobile number or
Password Reset link
Usernames can be enumerated as: TS001M00001, TS006M00001, can be sent to the
TS014M00001, TS019M00001, TS029M00001, TS032M00001 etc. registered email
address.
However, application encounters gateway error while sending mobile
number to the mail address in both cases (Fig. 2.1.4):

https://benchmark.enam.gov.in/NAMV2/faces/infrastructure/SLogin.j
sf
3.0 Session Management
3.1 Missing Secure When GET request for https://benchmark.enam.gov.in is sent, session Secure attribute
Attribute of identifier ci_session is set with Set-Cookie directive with path and should be added to
Session Cookie HttpOnly attribute, but an encrypted session (SSL) is using a cookie all sensitive cookies.
without the "secure" attribute (Fig. 3.1.1):

https://benchmark.enam.gov.in/web/Ajax_ctrl/hooks_fun
4.0 Authorization & Access Control
4.1 Direct Access to While activating different submenus under a menu (Fig. 4.1.1), Access control
AJAX Control for application uses the following files. should be properly
Activating Menu But instead of redirecting to the respective page, if implemented.
/Ajax_ctrl/menu_activate/ folder is directly accessed, PHP error is
encountered (Fig. 4.1.2):

https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/aspira
tional-districts
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/elearn
ing-videos

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 9 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Sl. Web Observation Remarks /

No Application Recommendation
Vulnerabilities
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/enam-
mandi-status
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/resour
ces
https://benchmark.enam.gov.in/web/Ajax_ctrl/menu_activate/stakeh
olders-involved

Also if the following location is directly accessed, PHP error is

encountered

https://benchmark.enam.gov.in/web/Agm_ctrl/menu_activate/stakeh
olders-involved (Fig. 4.1.3, Fig. 4.1.4)
5.0 Configuration Management
5.1 Missing Response Version of Apache and PHP can be fingerprinted from the HTTP Web Server may be
Headers response header Server and X-Powered-By respectively and versions configured to
are Apache/2.4.6 and PHP/5.4.16 (Fig. 5.1.1). prevent information
leakage from these
All versions are vulnerable to reported security issues and should be headers of the HTTP
upgraded to the latest secure version: response.
Apache and PHP may
https://benchmark.enam.gov.in/web/ be upgraded to the
latest secure
version.
5.2 Missing Response In response to the following request, the server does not set following Security response
Headers HTTP response headers in order to prevent attacks: headers should be
configured properly.
Content-Security-Policy response header improves security of the
web-application against Cross-Site Scripting attacks by allowing
resources from the restricted parts according to the web-application
policy:

The target website lacks of HSTS policy implementation and HTTP

Strict Transport Security (HSTS) is a web security policy mechanism
whereby a web server declares that complying user agents (such as a
web browser) are to interact with it using only secure (HTTPS)
connections.

The HSTS Policy is communicated by the server to the user agent via a
HTTP response header field named "Strict-Transport-Security". HSTS
Policy specifies a period of time during which the user agent shall
access the server in only secure fashion.
Recommended value "Strict-Transport-Security: max-age=31536000;
includeSubDomains":

http://benchmark.enam.gov.in/web/
5.3 Phishing by The application is linked to the following external website using anchor The value ‘noopener
Navigating tags (<a>) along with the attributes ‘href’ and target="_blank" and noreferrer’ may be
Browser Tabs access to the linking pages are gained via window.opener object (Fig. added to the
5.3.1). Newly opened windows / tabs through normal hrefs with attribute ‘rel’, to all
target="_blank" can modify the value of window.opener.location and the outgoing links in
replace the parent webpage with some phishing page or execute some the web application.
JavaScript on the opener-page:

 https://www.indiabudget.gov.in/budgetspeech.php

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 10 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Sl. Web Observation Remarks /

No Application Recommendation
Vulnerabilities
 https://www.indiabudget.gov.in/hbudgetspeech.php
 http://agricoop.nic.in/en/agriculturereforms/guidelines-
agriculture-infrastructure-fund-hindi
 https://www.sfacindia.com/
 https://india.gov.in/
 https://digitizeindia.gov.in/
 https://data.gov.in/
 https://meity.gov.in/
 https://pmindia.gov.in/
 http://www.nagarjunafertilizers.com/
 https://digipay.gov.in/dashboard/Default.aspx

https://benchmark.enam.gov.in/web/

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 11 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Appendix

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 12 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 0.1.1: Training Feedback form is filled up with proper values

Fig. 0.1.2: PHP error occurs

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 13 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 0.1.3: Private IP address gets disclosed

Fig. 0.2.1: Missing CAPTCHA

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 14 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 0.3.1: Registration form is filled up with proper Photo ID Type and Number

Fig. 0.3.2: Application still asks for Photo ID Type

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 15 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 0.4.1: Link to login as trader in the login form

Fig. 0.4.2: Trader Login of the production application is linked

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 16 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.1.1: National and State events can be viewed with /national and /state values passed in the URL

Fig. 1.1.2: Error occurs if JavaScript is passed in the URL instead of passing national / state

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 17 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.1.3: If / is URL-encoded, application treats it as valid file and not found response is received

Fig. 1.2.1: From Date cannot be older than 1 week

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 18 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.3.2: POST parameter fromDate is changed to an older date

Fig. 1.2.3: All previous records are returned

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 19 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.3.1: Breakup of stakeholders for the selected state can be viewed

Fig. 1.3.2: POST parameter state_id is manipulated with out-of-range value

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 20 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.3.3: Internal server error occurs

Fig. 1.3.4: State-wise trading data can be viewed

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 21 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.3.5: POST parameter state_id is manipulated with negative out-of-range value

Fig. 1.3.6: Database error occurs

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 22 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.4.1: Price dashboard of Agmarknet

Fig. 1.4.2: POST parameter stateName is appended with ‘”)/>

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 23 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.4.3: Database error occurs

Fig. 1.5.1: Data type of the POST parameter state_id is manipulated to array

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 24 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.5.2: Database error is encountered

Fig. 1.5.3: Available resources

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 25 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.5.4: Value passed in the POST parameter text is resources

Fig. 1.5.5: Data type of the POST parameter text is manipulated to array

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 26 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.5.6: Database error is encountered

Fig. 1.5.7: Data type of the POST parameter text is manipulated to array

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 27 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.5.8: Database error occurs

Fig. 1.6.1: State, APMC and Commodity are selected from dropdown lists

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 28 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.6.2: SQL injection is attempted in the POST parameter fromDate

Fig. 1.6.3: All records of the selected commodity is returned

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 29 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.6.4: Missing validation of stateName resulted in status 500

Fig. 1.7.1: Login form is filled up with valid credentials

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 30 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 1.7.2: POST method with body parameters is converted to GET with query parameters

Fig. 1.7.3: Successfully logged in

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 31 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 2.1.1: Username and Email Id can be enumerated

Fig. 2.1.2: Username and Email Id can be enumerated

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 32 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 2.1.3: Username and Email Id can be enumerated

Fig. 2.1.4: Connection to the server fails

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 33 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 3.1.1: Missing Secure attribute

Fig. 4.1.1: Stakeholders involved

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 34 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 4.1.2: PHP error occurs if /Ajax_ctrl/menu_activate/ is directly accessed

Fig. 4.1.3: AGMARKNET under Dashboard

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 35 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 4.1.4: PHP error occurs if /Agm_ctrl/menu_activate/ is directly accessed

Fig. 5.1.1: HTTP response headers

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 36 of 37

 Report No. ES/FTPL/202101/OR/C1/051834

Fig. 5.3.1: Third-party links

CONFIDENTIAL Audited By: STQC IT Services, Kolkata Page 37 of 37