The Octanox team asked Coinspect to audit Lesfex Cryptocurrency Exchange. Coinspect performed a black-box penetration test of the web application during one week in April 2018.
As a baseline for testing the OWASP Application Security Verification Standard 3.0 was used and the security verification level applied was ASVS Level 1. Additionally, manual and automated techniques were used to test the application, its infrastructure and business logic.
The full report is available for download here, and an executive summary of the issues, ordered by severity, can be found below:
Critical Risk
Negative Withdrawal Amount Increments Balance The application allows users to make negative transfers and increase the balance available to them for exchange operations. Octanox team fixed this issue
High Risk
Lack of Cross-Site Request Forgery Protections No safeguard against Cross-site request forgery attacks was implemented, so very sensitive actions (such as token transfers) were vulnerable to this type of attack. Octanox team fixed this issue.
Medium Risk
Reflected Cross-site Scripting The application was filtering most of the user input correctly except for one particular variable that was found to be vulnerable. Octanox team fixed this issue.
Directory Browsing Enabled Some non-critical paths were found to allow Directory Browsing of its files and folders. Octanox team fixed this issue.
Insecure Cookie Handling Session cookies were not protected using the Secure attribute to ensure they are always transmitted over an encrypted channel. Octanox team fixed this issue.
No OOB/2FA Confirmation Required to Perform Withdrawals Coinspect recommends implementing Out-of-Band (email, SMS, etc) or 2-Factor Authentication to confirm sensitive actions such as fund transfers.
Low Risk
TLS 1.0 is Insecure Although it is common practice to support TLS version 1.0, it is vulnerable to several well-known attacks.
Weak Password Policy A weak or non-existent password policy was used for account passwords. Octanox team fixed this issue.
Change Password Does Not Terminate Sessions Upon changing the password a user should be prompted to terminate all other existing sessions. This is the only way a user may log-off an attacker that obtained the user’s previous password and prevent the attacker from maintaining access. Octanox team fixed this issue.
No Subresource Integrity for Third-Party Scripts Most of the JavaScript code used by the application is loaded from third-party sites, the use of Subresource Integrity is recommended. Octanox team partially fixed this issue by implementing Subresource Integrity checks for most of the third-party scripts.
