This website uses cookies to ensure that our website is optimally usable. Cookie Policy
Only allow necessary cookies Accept Cookies

qrd°by

Pen Test

The goal of the penetration tests is to continuously evaluate the security level of the platform. As our platform evolves, an external company conducts regular controls, including:

  • Performing a penetration test with standard web testing tools and manual testing
  • Presentation of common web-based vulnerabilities
  • Assessment of the general safety status of the platform

All results will be documented in a final written report.

Since September 2021 we are part of the openbugbounty.org where you can report an vulnerabilities concerning our services.

logo openbugbounty.org
pentest

System Vulnerability Scanning

Automated non-invasive scans of the platform are performed using analysis software and all access and testings are logged. Scans are run using common software tools.

Web Vulnerability Scanning

Common attack patterns and vulnerabilities, including the Top 10 Application Security Risks of the Open Web Application Security Project, are being tested by non-invasive scanning methods.

Proof of Concept

In addition to the vulnerabilities found, the external company's security experts evaluate possible attack scenarios and provide noninvasive tests that allow us to assess the risks presented.

Reporting

During reporting, the weak points and concepts created are evaluated, classified and recommendations derived. These are prioritized by us and appropriate measures taken.

Mitigation from pen tests

Log4J vulnerability

The vulnerability CVE-2021-44228 in the Apache Log4j2 2.0-beta9 module (version 2.12.1, 2.13.0 - 2.15.0) reported on December 10, 2021 allows attackers to take over a compromised server.

This module is not used on our production servers, where all of our customers' data is stored. On our part, there is no risk of customer accounts being taken over or data being leaked via this vulnerability.

2021

Timeframe December

  • New function enables possibly compromised devices on which a user has logged in to log out via remote session
  • Updated JavaScript Libraries

Timeframe October

Timeframe September

  • Fixed various XSS bugs reported on open bug bounty
  • Ask for password when terminating an account

2020

Carried out in calendar week KW43

  • Password criteria have been tightened for white label customers. The password must consist of at least 8 characters, at least one uppercase and one lowercase letter and at least one number.
  • API adjustments: QR codes can only be created using the secret API key.
  • Fixed possible XSS attack on administrator accounts of white label customers.
  • Enumerate user names via the "forgot password" function is now prevented. Information is no longer issued as to whether the passed user name exists when a new password is requested.

Carried out in calendar week 21

  • Updated server stack with latest patches
  • Updated JavaScript Libraries

2019

Carried out in calendar week 36

  • Customizations for content security policy headers
  • Strict-Transport-Security is now set in the header
  • Switching to secure cookies has been done for the entire website
  • Flag for Samesite cookies are in the planning stage

Carried out in calendar week 26

  • The crossdomain.xml file has been removed. CORS declarations are no longer needed because all API accesses can be made via JSONP.
  • The content security policy header can now be set dynamically for specific pages.
  • A switch to secure cookies has been made for the entire website. For white label customers this is still in planning.
  • The autocomplete="off" attribute has been added to the login pages.
  • Updated JavaScript Libraries

You might be interested in


Top