The goal of the penetration tests is to continuously
evaluate the security level of the platform.
As our platform evolves, an external company
conducts regular controls, including:
Performing a penetration test with standard web testing tools and manual testing
Presentation of common web-based vulnerabilities
Assessment of the general safety status of the platform
All results will be documented in a final written report.
Since September 2021 we are part of the
you can report an vulnerabilities concerning our services.
System Vulnerability Scanning
Automated non-invasive scans of the platform are performed using
analysis software and all access and testings are logged.
Scans are run using common software tools.
Web Vulnerability Scanning
Common attack patterns and vulnerabilities, including the Top 10
Application Security Risks of the
Open Web Application Security Project,
are being tested by non-invasive scanning methods.
Proof of Concept
In addition to the vulnerabilities found, the external company's
security experts evaluate possible attack scenarios and
provide noninvasive tests that allow us to assess the risks presented.
During reporting, the weak points and concepts created are evaluated,
classified and recommendations derived. These are prioritized by
us and appropriate measures taken.
Mitigation from the last pen tests
Fixed various XSS bugs reported on
open bug bounty
Carried out in calendar week KW43
Password criteria have been tightened for white label customers.
The password must consist of at least 8 characters, at least one uppercase and one lowercase letter and at least one number.
API adjustments: QR codes can only be created using the secret API key.
Fixed possible XSS attack on administrator accounts of white label customers.
Enumerate user names via the "forgot password" function is now prevented.
Information is no longer issued as to whether the passed user name exists when a new password is requested.
Carried out in calendar week 21
Updated server stack with latest patches
Carried out in calendar week 36
Customizations for content security policy headers
Strict-Transport-Security is now set in the header
Switching to secure cookies has been done for the entire website
Flag for Samesite cookies are in the planning stage
Carried out in calendar week 26
The crossdomain.xml file has been removed.
CORS declarations are no longer needed because all API accesses can be made via JSONP.
The content security policy header can now be set dynamically for specific pages.
A switch to secure cookies has been made for the entire website. For white label customers this is still in planning.
autocomplete="off" attribute has been added to the login pages.
You might be interested in