Here are some comments on the 3 issues, and below you can see the PDFs he submitted:
- CSRF:
- this was a typical example of a security control that was disabled during development which should had been re-enabled before shipping.
- Fixed on latest build
- ClickJacking :
- pretty good finding and something that we hadn't look at.
- Fixed on latest build
- Get Password Hash from Browser Memory:
- this is an interesting one, since I (as a dev) don't think that it is a mitigatable issue :)
- basically, if the attacker controls the browser (or the computer) he will be able to capture the admin session
- Also, there are multiple places to get current/past user credentials (SessionID, password as it is being typed, multiple locations in memory where that value is stored).
- there is also the issue of multiple browsers and the fact that each one will handle it differently.
- just for reference, at the moment the hash is already salted with the username value (we could try to make this unique per session, but that would not solve this issue)
- I'm happy to change my mind, but at the moment I'm marking this as a not-to-be-fixed :)
My plan is to document this better in the TeamMentor docs, where I will also add more info about the TeamMentor's Security Architecture and its defences
Here are the PDFs submitted by Dinesh:
