<aside> <img src="/icons/megaphone_gray.svg" alt="/icons/megaphone_gray.svg" width="40px" /> Last update: June 28, 2024 If you have any question, refer to [email protected]
</aside>
This document aims to report the results of penetration tests on Elos (https://elos.vc).
The architecture is composed by three key components:
We conducted penetration tests on each of the components individually, following the most suitable strategy for each one of them.
In order to perform the scans, we used the Zed Attack Proxy (ZAP) (link) version 2.15.0.
The discovery of the LTI endpoints has been made using the interactive mode of ZAP. Lower severity findings didn’t present any risk to security, however they will be mitigated in the future to avoid false positives.
The scan was performed against the following version set:
mconf/bbb-lti-broker:v0.6.1-beta.1
mconf/bbb-app-rooms:v0.16.2
The complete report can be found below:
# | Category | Severity | Description | Potential impact | Mitigation |
---|---|---|---|---|---|
1 | Cross Site Scripting (Reflected) | High | Javascript code injection using the redirect_uri parameter. | It’s not expected to have any impact, since the parameter is generated by the service itself. | A validation will be implemented to enforce the expected scheme and domain. |
2 | Cross Site Scripting (Reflected) | High | Javascript code injection using the launch_presentation_return_url parameter. | It’s not expected to have any impact, since the parameter is generated by the service itself. | A validation will be implemented to enforce the expected scheme and domain. |
3 | External Redirect | High | External URL redirection through the redirect_uri parameter. | It’s not expected to have any impact, since the parameter is generated by the service itself. | A validation will be implemented to enforce the expected scheme and domain. |
4 | SQL Injection - Oracle - Time Based | High | The request may take longer if the parameter redirect_uri is a SQL query. | False positive check based on response time. | |
5 | SQL Injection - Oracle - Time Based | High | The request may take longer if the parameter launch_nonce is a SQL query. | False positive check based on response time. | |
6 | SQL Injection - Oracle - Time Based | High | The request may take longer if the parameter session_set is a SQL query. | False positive check based on response time. | |
7 | SQL Injection - Oracle - Time Based | High | The request may take longer if the parameter context_id is a SQL query. | False positive check based on response time. | |
8 | SQL Injection - Oracle - Time Based | High | The request may take longer if the parameter authenticity_token is a SQL query. | False positive check based on response time. |