[
https://issues.apache.org/jira/browse/FINERACT-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310459#comment-17310459
]
Joseph Makara edited comment on FINERACT-969 at 4/4/21, 6:48 AM:
-----------------------------------------------------------------
Hi, I have attached [^fineract-api-SQLi-scan.html]
This has 10 SQLi alerts that requires attention. The number of alerts might be
limited to the number of links manually opened in OWASP ZAP session scanned.
See the links I managed to open in this scan [^fineract-url-clicked.txt]
There is a list of items that has been fixed in PR
[https://github.com/apache/fineract/pull/1671/files] pending code review re
FINERACT-854
These 10 and any other detected can be fixed in sub-task if there is extra
pair(s) of hands? If we have suggestions for any other tool apart from OWASP
ZAP we can try those as well.
Identified classes requiring attention.
# ReadReportingServiceImpl.java FINERACT-1338
# SearchReadPlatformServiceImpl.java
# ReadSurveyServiceImpl.java
# XBRLResultServiceImpl.java
# ProvisioningCriteriaReadPlatformServiceImpl.java
# CashierTransactionDataValidator.java
# AuditReadPlatformServiceImpl.java
# GenericDataServiceImpl.java
# ExternalServicesReadPlatformServiceImpl.java
# ReadWriteNonCoreDataServiceImpl.java
# SmsReadPlatformServiceImpl.java
# ReportMailingJobReadPlatformServiceImpl.java
These ones to be fixed as sub-tasks of FINERACT-854 in separate pull requests
to maintain atomic changes and we can only close FINERACT-854 when these ones
are fixed.
was (Author: josemakara):
Hi, I have attached [^fineract-api-SQLi-scan.html]
This has 10 SQLi alerts that requires attention. The number of alerts might be
limited to the number of links manually opened in OWASP ZAP session scanned.
See the links I managed to open in this scan [^fineract-url-clicked.txt]
There is a list of items that has been fixed in PR
[https://github.com/apache/fineract/pull/1671/files] pending code review re
FINERACT-854
These 10 and any other detected can be fixed in sub-task if there is extra
pair(s) of hands? If we have suggestions for any other tool apart from OWASP
ZAP we can try those as well.
> Run OWASP zaproxy.org against Fineract (e.g. fineract.dev)
> ----------------------------------------------------------
>
> Key: FINERACT-969
> URL: https://issues.apache.org/jira/browse/FINERACT-969
> Project: Apache Fineract
> Issue Type: Improvement
> Components: Security
> Reporter: Michael Vorburger
> Priority: Major
> Attachments: fineract-api-SQLi-scan.html, fineract-url-clicked.txt,
> wuifineract.html, wuifineract2.html
>
>
> [~giorgio] in FINERACT-853 suggested to run
> [https://www.zaproxy.org|https://www.zaproxy.org] against Fineract.
> That sounds like a Great Idea - and may yield some interesting results and
> holes worth plugging.
> I this is easier to do against a public server instead of locally, then I
> hereby offer https://www.fineract.dev for this purpose. As its FAQ says,
> quote: _"Try to crash our demo - and if you manage, then work with us in the
> open source project to make the Fineract code more scaleable and reliable!"_
> :D
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
