Hi all,

Please find attached the latest security scan of the dev.islg non-member pages. There is only 1 High alert, 1 Medium, and a few low.

Thanks!

Ryan

ZAP Scanning Report-dev-073019.pdf 307 KB • Download

Hi Jitesh and Harsh ,

Would it be possible to get your assessment of the report above. How do you propose we deal with each risk identified in the report?

Thanks,

Morgan 

Hi Jitesh and Harsh ,

Following-up on the report above. Please provide your assessment on how we are going to resolve the outstanding security issues on the non-members pages. I don't want to leave these unresolved.

Morgan 

Hi Morgan ,

We have study scanning report and found that there are two alert in High level and it will not resolved because of it required change architecture of development style. Others Five of Low level alert will be done and will update soon. Please find details of each in below image.

image.png 12.8 KB • Download

Thanks,
Jitesh

Ok, Jitesh ​.

Ryan ​ and Mitch ​ let's plan to discuss this during today's call to determine if and how we can deal with these issues.

Thanks,

Morgan

Hi Jitesh ,

Following-up on our conversation last Thursday, please let us know when the low risk items in the report above are resolved.

For the high and medium risk items, our understanding is that these items pose no risk to the compromising data stored on the SQL database (i.e., content and user data), and thus we will leave these items unresolved, but will be addressed in the rebuilt platform.

Thanks,

Morgan 

Hi Morgan ,

We have already started work on this and currently, team is working on to resolve the low level issue.

We will update you once it will be done.

Great. Thanks Harsh .

Morgan 

Hi Morgan ,

We are working on this and already we have resolved 3 Low Level issue but we need to do some R&D for issue Absence of Anti-CSFRF tokenns.

We are trying to complete all low level issues mid of next week.

Ok. Thanks for the update Harsh .

Ryan and Mitch , let's discuss this this morning, and see if we can offer assistance on the Anti-CSFRF token issue.

Morgan

Hi Harsh ,

Ryan and Mitch are going to look into the Anti-CSRF token issue to determine whether the risk is material. In the meantime, please hold off on doing further to R&D on the issues.

Thanks,

Morgan

Hi Morgan

Essentially this attack could put your web forms on the site at risk of being forged. Someone could potentially spoof the login for instance and steal credentials.

Ryan and I think this is definitely worth fixing but its priority should not be immediate. There are many articles describing it: https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2

We suggest the team looks into a quick resolution to implement the fix that can be done site wide since the documentation is very widespread if possible.

Mitch

Hi Mitch ,

Thanks for this.

Harsh , as Mitch suggested, let's get the issue resolved. If you need any help with the R&D please let us know.
 
Morgan