OWASP Top 10 Security Audit Reports and Documentation

[epineto]

OWASP Top 10 Report and Action Items

Overview

This Pull Request adds documentation and a summary of the OWASP Top 10 audit findings, focusing on the API and Web components of the OnTrack application. It also includes methodologies for testing, results analysis, and actionable recommendations.

Changes

1. Added OWASP Top 10 Audit Reports
   • reports/security/Security-Audit-OWASP-Top-10-Results-localhost-API-02122024.pdf
   • reports/security/Security-Audit-OWASP-Top-10-Results-localhost-WEB-02122024.pdf
2. Created Documentation under the Security Section
   • Introduction: Explains vulnerabilities with examples.
   • Test Cases: Describes tests performed.
   • Methodology: Outlines steps and tools used.
   • Results: Summarizes findings.
   • Action Items: Provides recommended remediations.

---

Documentation

1. Introduction

The OWASP Top 10 identifies the most critical security risks in web applications. This audit focused on detecting these vulnerabilities in the OnTrack API and Web applications. Example vulnerabilities include:

• Broken Access Control
• Cryptographic Failures
• Security Misconfigurations

2. Test Cases

• Broken Access Control: Simulate unauthorized actions and access.
• Cryptographic Failures: Check improper implementation of encryption protocols.
• Security Misconfigurations: Scan for insecure headers, unnecessary features, or verbose error messages.

3. Methodology

The following steps outline the process:

• Tools Used:
  • Burp Suite
• Steps:
  1. Configure testing environments.
  2. Run automated scans for vulnerabilities.
  3. Verify findings manually for false positives.

4. Results

Key findings include:

• API:
  • [A01] Broken Access Control: Ruby on Rails running in development mode.
  • [A05] Security Misconfiguration: CORS misconfiguration and verbose error messages.
• Web:
  • [A06] Vulnerable Components: Outdated libraries detected.
  • [A04] Insecure Design: Missing Content Security Policy.

5. Action Items

• Secure Rails applications by setting them to production mode.
• Apply strict CORS policies to prevent cross-origin vulnerabilities.
• Upgrade outdated dependencies and libraries.
• Implement a Content Security Policy (CSP) header for secure embedding.

---

Next Steps

1. Review and merge this documentation into the dev branch.
2. Add cards to the Security column in the OnTrack task management board for each identified action item.
3. Schedule a follow-up audit to verify remediation.

[netlify]

✅ Deploy Preview for ontrackdocumentation ready!

Name	Link
🔨 Latest commit	dea2afe
🔍 Latest deploy log	https://app.netlify.com/sites/ontrackdocumentation/deploys/6757aba04a808d0008b84cde
😎 Deploy Preview	https://deploy-preview-22--ontrackdocumentation.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[aditya993388]

PR Review Comment

The provided OWASP Top 10 compliance reports for the localhost-API and localhost-WEB have been reviewed. The documents effectively identify and outline vulnerabilities based on the OWASP Top 10 2021 framework, including detailed descriptions, affected paths, CWE mappings, CVSS scores, and remediation recommendations.

Key Strengths:

1. Comprehensive Categorisation: Vulnerabilities are well-organized and aligned with the OWASP Top 10 categories.
2. Clear Remediation Guidance: Each finding includes actionable recommendations along with relevant references for further guidance.
3. Detailed Scan Data: The reports provide insightful details about the scan, including target endpoints, response times, and request breakdowns.

These reports meet the requirements for documenting the identified vulnerabilities and are approved for inclusion.

[nodogx]

There is comprehensive coverage for both the PDFs where CVSS scores are provided, where the Impact, request and recommendations are provided with the references. You have also followed the same structure as the WEB audit. This makes it easier to compare the results.

Approving since both Pdfs adhere to the OWASP top 10 and the details provided are in detail, containing technical descriptions. Each of the issues includes the recommendations

What could be improved would be visual like a bar chart or pie chart, showing the count of vulnerabilities per OWASP category, adding tags like (Critical, high, medium and low) to focus on what needs to be prioritised and screenshots of attached evidence with the tools used. Example, Screenshots of Burp Site Traffic (if Burp suite was used)

Overall, this provided a very detailed, comprehensive coverage where it would be easy for anyone to understand!