...
What did you accomplish this past week?
Created Issues and PR’s in android client and mifos community app for the vulnerabilities found last week.
Tested endpoints for rate limiting issues.
Tested for XSS using custom payloads and bruteforce through intruder.
Analyzed using nuclei and found some low severity issues.
Researched on CodeQL queries, read writeups.
What will you do this upcoming week?
Test web app (fineract API) for parameter tampering issues.
Test for Cross Site Request Forgery security bugs.
Meet with mentor and discuss about project progress.
Deploying SonarQube and analyze using it. Test Fineract Github repository code to identify vulnerabilities and errors in the code.
What obstacles are impeding your progress?
none as of now
Would you like help from some mentor for this task?
No
Kerlyn
What did you accomplish this past week?
I continued the data validation tests by testing for command injection and all my tests came out negative. So I plan to tackle it with another approach next week when testing for file inclusions.
I also did a test for sensitive data exposure and vulnerable components. I noticed the vulnerable TLS versions have been disabled which is a good thing. However, I noticed a vulnerable component that I am presently trying to exploit it.
I also performed a clickjacking test which came out positive.
I did an API scan/bruteforce on our fineract domain and found endpoints. I am still investigating the endpoints which were discovered here.
Over the weekend I’ll update my notion documentation to capture the progress made so far.
What will you do this upcoming week?
I’ll round up the code review which is still to test for sensitive data exposure.
I’ll have a weekly meeting with the mentor to discuss work done in the past week and what is to be done that week.
Test for unrestricted upload of files with dangerous types.
Test for server-side request forgery.
And of course, I’ll keep up the documentation.
What obstacles are impeding your progress?
None
Would you like help from some mentor for this task?
Not at the moment
...