<aside> <img src="/icons/megaphone_gray.svg" alt="/icons/megaphone_gray.svg" width="40px" /> Last update: June 28, 2024 If you have any question, refer to [email protected]

</aside>

Introduction

This document aims to report the results of penetration tests on Elos (https://elos.vc).

Solution overview

The architecture is composed by three key components:

Component LTI: This module is responsible for the integration between the API and Learning Management Systems through the Learning Tools Interoperability specification (link). It provides an UI for scheduling meetings, access meetings and access data of meetings that already happened. The use of this module is optional.
Component API: This module is responsible for providing a unified endpoint to access a pool of video servers. API and Live implement the same programming interface.
Component Live: This module is responsible for the virtual classroom experience.

We conducted penetration tests on each of the components individually, following the most suitable strategy for each one of them.

In order to perform the scans, we used the Zed Attack Proxy (ZAP) (link) version 2.15.0.

Component LTI

The discovery of the LTI endpoints has been made using the interactive mode of ZAP. Lower severity findings didn’t present any risk to security, however they will be mitigated in the future to avoid false positives.

The scan was performed against the following version set:

mconf/bbb-lti-broker:v0.6.1-beta.1
mconf/bbb-app-rooms:v0.16.2

The complete report can be found below:

2024-05-25-lti.html

Findings

#	Category	Severity	Description	Potential impact	Mitigation
1	Cross Site Scripting (Reflected)	High	Javascript code injection using the redirect_uri parameter.	It’s not expected to have any impact, since the parameter is generated by the service itself.	A validation will be implemented to enforce the expected scheme and domain.
2	Cross Site Scripting (Reflected)	High	Javascript code injection using the launch_presentation_return_url parameter.	It’s not expected to have any impact, since the parameter is generated by the service itself.	A validation will be implemented to enforce the expected scheme and domain.
3	External Redirect	High	External URL redirection through the redirect_uri parameter.	It’s not expected to have any impact, since the parameter is generated by the service itself.	A validation will be implemented to enforce the expected scheme and domain.
4	SQL Injection - Oracle - Time Based	High	The request may take longer if the parameter redirect_uri is a SQL query.	False positive check based on response time.
5	SQL Injection - Oracle - Time Based	High	The request may take longer if the parameter launch_nonce is a SQL query.	False positive check based on response time.
6	SQL Injection - Oracle - Time Based	High	The request may take longer if the parameter session_set is a SQL query.	False positive check based on response time.
7	SQL Injection - Oracle - Time Based	High	The request may take longer if the parameter context_id is a SQL query.	False positive check based on response time.
8	SQL Injection - Oracle - Time Based	High	The request may take longer if the parameter authenticity_token is a SQL query.	False positive check based on response time.