The Octanox team asked Coinspect to audit Lesfex Cryptocurrency Exchange. Coinspect performed a black-box penetration test of the web application during one week in April 2018.
As a baseline for testing the OWASP Application Security Verification Standard 3.0 was used and the security verification level applied was ASVS Level 1. Additionally, manual and automated techniques were used to test the application, its infrastructure and business logic.
The full report is available for download here, and an executive summary of the issues, ordered by severity, can be found below:
Negative Withdrawal Amount Increments Balance The application allows users to make negative transfers and increase the balance available to them for exchange operations. Octanox team fixed this issue
Lack of Cross-Site Request Forgery Protections No safeguard against Cross-site request forgery attacks was implemented, so very sensitive actions (such as token transfers) were vulnerable to this type of attack. Octanox team fixed this issue.
Reflected Cross-site Scripting The application was filtering most of the user input correctly except for one particular variable that was found to be vulnerable. Octanox team fixed this issue.
Directory Browsing Enabled Some non-critical paths were found to allow Directory Browsing of its files and folders. Octanox team fixed this issue.
Insecure Cookie Handling Session cookies were not protected using the
Secure attribute to ensure they are always transmitted over an encrypted channel. Octanox team fixed this issue.
No OOB/2FA Confirmation Required to Perform Withdrawals Coinspect recommends implementing Out-of-Band (email, SMS, etc) or 2-Factor Authentication to confirm sensitive actions such as fund transfers.
TLS 1.0 is Insecure Although it is common practice to support TLS version 1.0, it is vulnerable to several well-known attacks.
Weak Password Policy A weak or non-existent password policy was used for account passwords. Octanox team fixed this issue.
Change Password Does Not Terminate Sessions Upon changing the password a user should be prompted to terminate all other existing sessions. This is the only way a user may log-off an attacker that obtained the user’s previous password and prevent the attacker from maintaining access. Octanox team fixed this issue.