- Name - Yash Sancheti
- Email - yashsancheti24@gmail.com
- GitHub Profile - https://github.com/Onyx2406
- Name - Godfrey Kutumela
- Email - godfrey@mifos.org
- GitHub Profile - https://github.com/godfreykutumela
Mifos X and Apache Fineract are widely used by financial institutions of all different sizes and methods around the world. This project is focused on testing the security of the Mifos X platform. Under the guidance of Godfrey Kutumela, the 175-hour project will utilize both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) scanning. These comprehensive testing methods will scrutinize the platform's security layers, uncovering vulnerabilities and providing insights for enhancement. The initiative will contribute to reinforcing the platform's defenses, ensuring that Mifos X remains a trusted option for its users, especially businesses that rely on it for financial services.
I performed both SAST and DAST scanning of the Mifos web-app and Android client, which included both automated and manual testing. 95% of the vulnerabilities were found through manual testing, while automated testing helped in finding probable weak points that were further examined manually for vulnerabilities. I found many vulnerabilities ranging from low to critical severity. These included vulnerabilities such as Account Takeover, SQL Injection, Access Control Issues, CSRF, Information Disclosure, IDOR, Rate-limit, Business Logic Errors, Vulnerable Components, etc.
Integration with browser settings, enabling proxy functionality and configuration of burp extensions. Bypassed SSL Pinning using Frida Script to configure Burp Suite to android device to test self-service API's used by Mifos Mobile.
Set up a remote desktop server for automation of various tasks such as crawling of web-app, discovery of hidden endpoints, parameters and contents within the app. The approach helped me in effeciently saving time by automating different process.
Deep analysis of code structure, logic, and flow to identify potential weak points. Deployed codeQL manually and analyzed web-app, android-client, fineract codebase using 400+ codeQL inbuilt and custom queries, that significantly helped in finding weak functionalities that requires manual security testing in depth.
Researched disclosed CVE's in OpenMRS, Librehealth, Financial Open Source Softwares with role-based features. Also reviewed disclosed reports on HackerOne and Bugcrowd to identify potential weak spots and vulnerabilities to focus on during testing.
I manually analyzed 400+ potential bugs of low to high severity in Fineract and Web-App Codebase detected by codeQL which eventually lead me finding 5 error based SQL injection vulnerabilities. Decompiled Mifos Mobile APK file, found API keys, and sensitive information.
Codebase auditing was done to make sure the permissions aligns with their respective functions and are not inconsistent. Some inconsistencies are found like shown in the image below.
The focus was to identify and assess the usage of packages in web-app that are under GPL/AGPL licenses, which are known to have implications on proprietary software. It is advised to either replace these dependencies with alternatives under more permissive licenses.
I did manual as well as automated testing for OWASP Top 10 vulnerabilities including XSS, SQL Injection, IDOR, Path Traversal attacks, Broken Access Control issues etc. Manually tested different user permissions/roles for different endpoints and analyzed API requests and responses. Used Nuclei, a fast, template-based vulnerability scanner to scan different HTTP Requests and found missing essential security headers.
Used manual and automated methods as given in my proposal.
Trivy was used to scan for vulnerabilities in Docker image.
TruffleHog tool was used for automating GitHub dorking to find sensitive information like API keys, passwords, endpoints etc.
Used Shodan for discovering disclosed CVEs in detected software versions.
Webarchive was used to extract all endpoints files for further examination and used LinkFinder to find hidden endpoints from JS files.
Built an IDOR testing workflow using jq and ffuf open-source tools to automate finding of IDOR bugs.
The use of extensions like CSRF Scanner, CSP Bypasser, 403 Bypasser, and XSS Validator in Burp Suite helped me in the testing experience.
The daily check-ins and weekly catch-ups helped me stay on track with what we needed to achieve in the project.
- June 2 2023
- June 9 2023
- June 16 2023
- June 23 2023
- June 30 2023
- July 7 2023
- July 14 2023
- July 21 2023
- July 28 2023
- August 4 2023
- August 11 2023
- August 18 2023
Currently, the Proof of Concepts (POCs) for the vulnerabilities found are only accessible to my mentors and the organization members. Once they are patched, I will make the write-ups and POCs for them public so they can be directly accessed here.
- Client-side request forgery (CSRF)
- Error Based SQL Injection Vulnerability [1]
- Error Based SQL Injection Vulnerability [2]
- Error Based SQL Injection Vulnerability [3]
- Error Based SQL Injection Vulnerability [4]
- npm Audit Report on web-app
- Cross-Site-Request-Forgery
- Automating IDOR testing using Trickest workflow
- Unauthorized Modifications: Bypassing READ Permissions in Fineract APIs
- Role Escalation Vulnerability: Unauthorized Access to Super User Privileges
- Permission Audit Analysis in web-app codebase: Identifying Inconsistencies and Security Vulnerabilities in Permissions
- Creation of Multiple Users with the Same Email Address
- Vulnerable Software Version [1]
- Vulnerable Software Version [2]
- Unauthorized Access Vulnerability: Exposure of XYZ Details via API Endpoint with XYZ ID Bruteforcing in Fineract Provider [IDOR + Broken Access Control]
- Sensitive Information Disclosure Endpoints
- Security Flaw in Payment Type Deletion: Bypassing Restrictions in Organization Module
- Essential Security HTTP Headers missing (Analysis Using Nuclei)
- Modification of Super User Permissions without having any access [IDOR Vulnerability]
- Weak Algorithm is used to encrypt authorization header + Rate Limit issue
- External Service Interaction (HTTP & DNS) Vulnerability
- File Upload Vulnerability [Might lead to Hijacking user cookies through XSS]
- Dependencies using GPL/AGPL License
- Changing Resource ID through Response Manipulation [Absence of Input Validation]
- Query built by concatenation with a possibly-untrusted string (Potential SQL vulnerability) [Fineract Codebase]
- Account Takeover of user's via Response Tampering
- Bypassing Password Policy Authentication by Parameter Tampering
- Acunetix Vulnerability Research Report on MifosX Web-app
- Mifos Mobile apk decompilation analysis
- Docker Image Vulnerabilities
Even though my project is mainly about researching and testing for security issues, and not so much about writing code, I have worked on fixing some issues. I have some more PRs (Pull Requests) ready to fix issues detected by CodeQL, and I will add them here once they are approved.
- Fixed Inconsistency in Permission
- Refactored Logging: Transition from java.util.logging to SLF4J
- Fixes DOM text reinterpreted as HTML
- Ensures that the end date selected is always after the start date
- Fixes Incomplete URL substring sanitization
- Fixes Potentially unsafe external link
- Temporarily hide fund mapping till the feature is complete
During my GSoC project, I was assigned two CVEs for the reported critical vulnerabilities:
- CVE-2024-23537
- CVE-2024-23539
You can find more details about these CVEs in the Apache Fineract Security Report.
- Collaborate with developers in Mifos and Fineract (Apache) community and create patches for the found vulnerabilities.
- I will create some more PR's in fineract and web-app fixing bugs detected by codeQL scanning, once they are approved.
- Keep testing the web-app and mifos mobile app when new features are added.
GSoC project has been a big boost for my tech skills. I got hands-on experience with security, and also improved my coding skills. This experience has broadened my skill set, making me proficient in both cybersecurity and software development.
Frequent meetings with my mentor and the team made me better at discussing complex tech issues. It also showed me the importance of good teamwork and taking feedback seriously.
Handling Mifos X's large set of code was a valuable learning experience. It taught me how to manage multiple tasks efficiently in a big project.
Teaming up with highly skilled peers was both challenging and rewarding. This helped me learn a lot and also expanded my network in the tech field.
Working with the Mifos Organisation has been a remarkable journey. I'm deeply grateful to my mentor Godfrey Kutumela for his unwavering encouragement, support, and insights. His guidance has helped me a lot and boosted my confidence. My appreciation also goes to the GSoC team at Google, who made it possible for me to collaborate with this incredible organization. Special thanks to the Mifos Initiative for providing me with this opportunity, and to Ed Cable, whose assistance has been invaluable throughout the entire GSoC period.
If you want to know more about the project, feel free to contact me here: