Uwazi.io Security Assessment

In 2021, Recurity Labs was contacted by Friedhelm Weinberg of the Geneva-based NGO HURIDOCS, an organization helping human rights groups to gather, organise and use information to create positive change in the world, who requested assistance with a security evaluation of their open-source tool Uwazi.io. In Swahili, Uwazi means “openness”. HURIDOCS designed Uwazi to make human rights information more open and accessible to defenders, who use this tool to share and store information, making the security of the software of paramount importance.

Recurity Labs agreed to assist HURIDOCS pro-bonoly, starting with a penetration test performed by Johan Rydberg Möller in June, 2021.

To facilitate the assessment, Recurity Labs was granted access to an environment with multiple tenants and users with different levels of access, as well as SSH access to the relevant server instances. Static analysis was performed on the provided Node.js source code, and further, automated and manual testing of the Web application has been executed. In addition, log analysis was conducted through SSH access to the server. Further attention was put on information leakage between tenants and user-levels, as well as the general security of the application according to OWASP Top Ten and SANS Top 25 Software Errors.

The tests were performed under optimal circumstances with testers having access not only to the source code but also to the full API documentation, direct SSH access to the servers, access to multiple user accounts, and a contact person at HURIDOCS, who was available to answer questions and provide assistance when- and wherever needed. Particularly helpful during testing was the availability of access to all log files on the backend server, which greatly aids during a security assessment as it makes it more efficient to hunt-down edge case bugs or errors that are not necessarily obvious when performing dynamic testing.

Generally, the application was found to already have a high-level of security, which did not come as a surprise since the application is an active and well maintained open-source project. However, some minor issues were discovered and reported to HURIDOCS. The full report was published by HURIDOCS and is available on their website.

The issues identified during the assessment included two instances of reflected Cross-Site Scripting (XSS), discovered by entering malicious payloads into arbitrarily named URL parameters. Such payloads would be rendered in the DOM and allowed for JavaScript (JS) execution. To mitigate this issue, it was recommended to disallow the echoing of user-controllable data into application responses, perform proper output encoding as well as to implement a Content Security Policy (CSP), which would disallow in-line JS to be executed.

Another minor issue resulted in the application leaking information about the Node.js server, such as which packages were running and their corresponding versions. While not a severe security issue, such information is helpful to attackers during discovery, as it provides information on the relevant packages and whether exploits are available for those versions.

Finally, the application was found to be prone to external service interaction on multiple API endpoints. While not necessarily a security issue, this is an indication that the application may be vulnerable to Server-Side Request Forgery (SSRF), and indeed in this case, it was possible to identify one such instance, though the setup of the server limited the potential impact of the vulnerability. Still, by abusing this vulnerability, it was possible to gather certain information regarding the backend server, such as which services were running and what ports were open on the loopback address (127.0.0.1), essentially making it possible to perform a portscan of the server from localhost. However, the vulnerable module did not allow for much further information to be extracted from the system, although more extensive testing may have yielded a higher impact.

Throughout the assessment and further, HURIDOCS have been very helpful and have promptly patched all issues reported to them. Recurity Labs want to thank HURIDOCS for the opportunity to assist in their endeavour, with the team looking forward to provide further support in the future!