SOC2 - Launchpad Penetration Testing Report

[ravilodhi]

What is the motivation for adding/enhancing this feature?

Here is the Report -

20240221_OWASP_Top_10_2021_https_launchpad_hotwax_io_home.pdf

What are the acceptance criteria?

All the critical vulnerabilities should be fixed.

• ...

Can you complete this feature request by yourself?

• YES
• NO

Additional information

[ravilodhi]

A01 Broken Access Control -

1. Clickjacking: X-Frame-Options header
   UtilHttp.setResponseBrowserDefaultSecurityHeaders(response) method has this header and we started using this in the below OMS PR -
   https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs

A04 Insecure Design -

1. Clickjacking: X-Frame-Options header
   UtilHttp.setResponseBrowserDefaultSecurityHeaders(response) method has this header and we started using this in the below OMS PR -
   https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs

2. Content Security Policy (CSP) not implemented
   OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs

A05 Security Misconfiguration -

1. Content Security Policy (CSP) not implemented
   OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs

2. Permissions-Policy header not implemented
   Severity very low, not fixed.

3. Reverse proxy detected
   Severity very low, not fixed.

4. HTTP Strict Transport Security (HSTS) not following best practices (No includeSubDomains directive)
   The method used in the below PR has the needed changes, and now we started using this.
   OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs

Note: Nothing is fixed at app side regarding the above vulnerabilities as of now, should be handled by the changes done at OMS side. If needed CSP can be handled at app side using meta tags -

e.g. Adding below meta tag in index.html file.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"/>