Skip to content

PENTEST_REPORT_R2.md

Latest commit

 

History

History
174 lines (141 loc) · 8.53 KB

PENTEST_REPORT_R2.md

File metadata and controls

174 lines (141 loc) · 8.53 KB

OBELISK — Penetration Test Report (Round 2)

Date: 2026-02-05
Tester: White Hat (Automated + Manual)
Methodologies: OWASP v4.2, NIST SP 800-115, CWE Top 25, MITRE ATT&CK, PCI DSS v4.0
Scope: All 5 layers — Payment Engine, KYC, AML, TimeLock, Sovereign Proof Protocol
Previous: Round 1 found 23 vulnerabilities across 45 tests (all fixed)

Executive Summary

Round 2 tested 7 new attack categories with 41 tests targeting the integrated pipeline.

Category Tests Pass Vulnerabilities Found
FUZZ (Fuzzing & Boundary) 6 6 0 — all inputs handled safely
RACE (Concurrency) 5 5 2 documented (need DB locks in prod)
DDOS (Denial of Service) 6 6 0 — all bounded
BIZ (Business Logic) 8 8 1 confirmed (Office Space attack)
CRYPTO2 (Crypto Edge Cases) 6 6 0 — crypto is solid
SERIAL (Serialization) 5 5 0 — no pollution vectors
SUPPLY (Supply Chain) 3 3 0 — clean audit
META (Surface Verification) 2 2 0
Total 41 41 3 documented

Vulnerabilities Found

VULN-R2-001: Concurrent Double-Spend (RACE-001) — MEDIUM

Category: Race Condition (CWE-362)
Vector: Two identical payment requests with the same idempotency key fired simultaneously.
Finding: In-memory idempotency cache has a TOCTOU gap. Both concurrent calls check the cache before either writes, so both create separate payments.
Impact: Customer charged twice for the same transaction.
Mitigation Added: In-memory cache (catches sequential retries).
Production Fix Required: PostgreSQL SELECT ... FOR UPDATE advisory lock or Redis SETNX (atomic compare-and-swap).

VULN-R2-002: TOCTOU on KYC Limits (RACE-004) — MEDIUM

Category: Time-of-Check/Time-of-Use (CWE-367)
Vector: Two concurrent payments each under per-transaction limit but together exceeding monthly volume.
Finding: Both pass limit check before either deducts from monthly volume.
Impact: Customer exceeds their KYC tier's monthly limit.
Production Fix Required: Database-level advisory lock on customer's monthly volume counter.

VULN-R2-003: Office Space Attack — Fractional Cent Rounding (BIZ-005) — LOW

Category: Business Logic Error (CWE-840)
Vector: Many sub-cent payments where minor-unit rounding favors the sender.
Finding: 0.01 EUR at rate 1.0746 rounds to 1 USD cent, giving effective rate ~1.12 vs quoted 1.07.
Impact: ~4% bonus on sub-cent transactions. Exploitable with high-frequency micro-payments.
Production Fix Required: Minimum transaction amount (€1) or banker's rounding with floor (never round up for customer).

Detailed Test Results

FUZZ: Fuzzing & Boundary Analysis (6/6 pass)

ID Test Result Notes
FUZZ-001 Type confusion (string/array/null as amount) No crashes on any type
FUZZ-002 IEEE 754 edges (Infinity, NaN, MAX_SAFE_INTEGER+1) Math integrity preserved
FUZZ-003 Null byte injection in identity fields No truncation exploits
FUZZ-004 Invalid ISO 4217 currency codes All rejected gracefully
FUZZ-005 RFC 5321 email edge cases (14 variants) No crashes
FUZZ-006 Non-ISO 3166-1 country codes All rejected gracefully

RACE: Concurrency & Race Conditions (5/5 pass, 2 vulnerabilities documented)

ID Test Result Notes
RACE-001 Concurrent double-spend ⚠️ TOCTOU gap in idempotency cache — needs atomic DB lock
RACE-002 Vault lock during proof generation No partial state
RACE-003 Parallel onboarding of same identity Unique vaults, no sharing
RACE-004 TOCTOU on KYC monthly limits ⚠️ Both pass before deduction — needs DB lock
RACE-005 Proof counter monotonicity under load All IDs unique, counters strictly increasing

DDOS: Application-Layer Denial of Service (6/6 pass)

ID Test Result Notes
DDOS-001 ReDoS via crafted sanctions input All complete <1s
DDOS-002 JSON bomb (100-level nesting) No stack overflow
DDOS-003 10MB string payload Rejected by identity size limit (PEN-304)
DDOS-004 Hash flooding (100 Map insertions) V8 Map is collision-resistant
DDOS-005 Proof verification cost asymmetry Verification ≤ 3x generation
DDOS-006 1000 encryptions under load Completes in <5s

BIZ: Business Logic Abuse (8/8 pass, 1 vulnerability documented)

ID Test Result Notes
BIZ-001 Negative amount (reverse flow) Rejected
BIZ-002 Zero amount (division by zero) Rejected
BIZ-003 Same-currency FX (EUR→EUR) Rate = 1.0, amount preserved
BIZ-004 FX round-trip (EUR→USD→EUR) Loses money (spread × 2)
BIZ-005 Fractional cent exploitation ⚠️ Rounding favors sender on sub-cent — needs minimum amount
BIZ-006 Execute expired TimeLock Rejected
BIZ-007 Transaction history persistence Append-only, survives tier changes
BIZ-008 Self-payment Handled without crash

CRYPTO2: Cryptographic Edge Cases (6/6 pass)

ID Test Result Notes
CRYPTO2-001 AES-GCM nonce uniqueness (1000 ops) All unique
CRYPTO2-002 IND-CPA (same plaintext → different ciphertext) All 50 unique
CRYPTO2-003 Cross-context key isolation (PII ↛ financial) HKDF prevents cross-decrypt
CRYPTO2-004 Ed25519 signature malleability Bit-flipped signature rejected
CRYPTO2-005 Vault key isolation (random salt per vault) Same passphrase → different keys
CRYPTO2-006 Ciphertext tampering (single bit flip) GCM auth tag detects all flips

SERIAL: Serialization Attacks (5/5 pass)

ID Test Result Notes
SERIAL-001 __proto__ prototype pollution Object.prototype clean
SERIAL-002 constructor.prototype pollution Object.prototype clean
SERIAL-003 Code execution via crafted JSON No eval/Function paths
SERIAL-004 Circular reference handling TypeError (expected), no crash
SERIAL-005 Unicode smuggling (boolean→string) Signature detects payload modification

SUPPLY: Supply Chain & Dependency (3/3 pass)

ID Test Result Notes
SUPPLY-001 No eval/Function/child_process in source Zero instances
SUPPLY-002 No hardcoded secrets Clean scan
SUPPLY-003 No third-party crypto packages Node.js built-in crypto only
npm audit Known CVEs in dependencies 0 vulnerabilities

Combined Test Coverage (Round 1 + Round 2)

Phase Category Tests Vulnerabilities
R1 Cryptographic Attacks (PEN-0xx) 8 5 fixed
R1 Protocol Attacks (PEN-1xx) 6 3 fixed
R1 Financial Logic (PEN-2xx) 6 3 fixed
R1 Injection/Input Validation (PEN-3xx) 6 3 fixed
R1 State Machine Attacks (PEN-4xx) 4 2 fixed
R1 Information Leakage (PEN-5xx) 5 3 fixed
R1 Resource Exhaustion (PEN-6xx) 4 2 fixed
R1 Authentication/Authorization (PEN-7xx) 5 2 fixed
R2 Fuzzing & Boundary Analysis (FUZZ) 6 0
R2 Concurrency & Race Conditions (RACE) 5 2 documented
R2 Application-Layer DDoS (DDOS) 6 0
R2 Business Logic Abuse (BIZ) 8 1 documented
R2 Cryptographic Edge Cases (CRYPTO2) 6 0
R2 Serialization/Deserialization (SERIAL) 5 0
R2 Supply Chain & Dependency (SUPPLY) 3+1 0
R2 Attack Surface Meta (META) 2 0
Total 15 categories 86 tests 23 fixed + 3 documented = 26

Production Deployment Checklist

Based on both rounds, these items must be addressed before production:

  • Replace in-memory idempotency cache with Redis SETNX (RACE-001)
  • Add PostgreSQL advisory locks for KYC volume counters (RACE-004)
  • Enforce minimum transaction amount of €1 (BIZ-005)
  • Real PostgreSQL database (replace in-memory Map)
  • Real Redis for session/cache management
  • Real SWIFT/SEPA gateway integration
  • Real sanctions list API (OFAC, EU, UN, UK)
  • Real FX rate provider (ECB, Bloomberg, Refinitiv)
  • HSM integration for master key storage
  • TLS 1.3 for all API endpoints
  • Rate limiting at API gateway level (Nginx/Cloudflare)
  • Structured logging to SIEM (Splunk/ELK)
  • Monitoring and alerting (PagerDuty/OpsGenie)