Web Application Testing Project

Internship report submitted in fulfillment of the requirements for the Degree of

Bachelor’s of Technology

In

COMPUTER SCIENCE

By

Yash Sancheti

9920103074

Department of Computer Science and Engineering and Information Technology

JAYPEE INSTITUTE OF INFORMATION TECHNOLOGY (Declared Deemed to be
University U/S 3 of UGC Act)A -10, Sector 62,NOIDA INDIA

AUGUST,2023
 DECLARATION

I hereby declare that this submission is my own work and that, to the best of my knowledge and
beliefs, it contains no material previously published or written by another person nor material
which has been accepted for the award of any other degree or diploma from a university or other
institute of higher learning, except where due acknowledgment has been made in the text.

Place: NOIDA

Date: 11 August, 2023

Name: Yash Sancheti

Enrollment: 9920103074
CERTIFICATE
 TABLE OF CONTENTS

Declaration 2

Certificate 3

Abstract 4
 ABOUT COMPANY

Mifos Initiative

Company: Mifos Initiative

About: Mifos X is an extended platform developed by the Mifos Initiative, a global non-profit
technology initiative. It's designed to support financial services to the poor and unbanked populations
worldwide.

Mission: The Mifos Initiative aims to create financial solutions that are open, accessible, and
scalable. By offering tools and support, they hope to empower organizations to deliver responsible
financial services.

Products/Services: Mifos X serves as a core banking system with a wide range of features, including
client management, loan and savings tracking, reporting, and more.

Impact: With users across the globe, Mifos X has a significant impact on financial inclusion,
enabling many financial institutions to manage their services more effectively.
 ABSTRACT

In today's world, many people use online services to manage their money. This means that web

applications, especially in the financial sector, have become very important. The Mifos X platform

and Apache Fineract are two such services that many financial institutions use. This project was

about checking these platforms' codebase to find and fix any code errors in them.

The main goal of the project was to look into the code of these platforms and find any errors or

issues. The project was broken down into three main parts:

1. Setting Up the Tools: Before starting, certain tools and software were set up. One tool, called

Burp Suite, helped with testing the web application. There was also a remote desktop server

set up to automate some tasks.

2. Checking the Code: This part was all about looking at the code of the platforms. Using a

tool called CodeQL and also checking manually, many errors and problems were found.

Some other web applications were also looked at to understand common mistakes.

3. Testing the Web Application: This was the final step. Here, the web application was tested

in many ways. This included checking how users log in, looking at software versions, and

even inspecting parts of the website's code.

The project didn't just find problems; it also helped fix them. Many solutions were suggested, and

changes were made to the code to make the platforms better. The project also allowed for learning

about many tools and techniques used in web application testing.

In the end, this project helped make the Mifos X platform and Apache Fineract better and more

reliable. It shows the importance of regularly checking and testing web applications to make sure

they work well and without issues.

 INTRODUCTION

Web applications are like online tools that we use every day. They help us do things like shopping,

banking, or even chatting with friends. Just like a car needs to be checked and fixed sometimes, web

applications need to be tested to make sure they're working right.

Imagine going to a bank's website to check your account, and it doesn't work. That would be

frustrating! This is why it's so important that web applications are tested and fixed if something's

wrong.

This project was all about looking at two specific web applications, the Mifos X platform and

Apache Fineract. These are used by banks and other financial places to help them manage money and

accounts.

The project had a few main goals:

1. Find errors in codebase: This means looking at the code (the instructions that make the web

application work) and finding any mistakes or problems.

2. Test How It Works: This includes trying out different parts of the web application to see if

everything is working as it should.

3. Fix What's Wrong: If something's found that's not working right, the project aims to fix it.

This is like a mechanic fixing a broken part on a car.

The project was not just about finding and fixing errors. It was also a chance to learn new skills and

use special tools that help with testing web applications.

Why does all of this matter? Well, when web applications work well, people can trust and rely on

them. It's like knowing your car will start in the morning when you need to go to work. If people can

trust web applications, they will use them more, and that's good for everyone.
 PROBLEM STATEMENT

In the fast-paced world of online banking and financial management, the reliability and efficiency of

web applications are vital. The Mifos X platform and Apache Fineract are widely used tools that help

financial institutions manage their operations. But like any complex system, they can have errors,

bugs, or other issues hidden in their code.

The main problems this project aimed to address were:

1. Identifying Errors: Is the code for these platforms free from mistakes? Are there any hidden

problems that might cause something to go wrong?

2. Testing Functionality: Do all parts of these web applications work as they should? Can users

do everything they need to without running into problems?

3. Fixing Issues: If something's wrong, how can it be fixed? What's the best way to make sure

the platforms are working at their best?

4. Ongoing Improvement: How can these platforms be checked and tested regularly? What

can be done to make sure they keep working well in the future?

These problems are important not just for the Mifos X platform and Apache Fineract, but for anyone

who uses them. If something goes wrong, it can affect many people and businesses. This project

aimed to find and fix these problems, making sure these important tools are trustworthy and

dependable.
 TECH STACK
In this project, a particular focus was placed on analyzing the codebase to detect errors. To achieve
this, a specialized tool called CodeQL was employed. Here's a detailed look at CodeQL and its role
in the project:

CodeQL

● What It Is: CodeQL is a powerful code analysis engine developed by GitHub. It's designed
to explore the code of a program and create a database that can be queried to find bugs,
errors, and vulnerabilities.

● Language Support: CodeQL supports various programming languages, including but not
limited to Java, C++, C#, Python, and JavaScript. This makes it versatile and suitable for
analyzing different parts of a complex codebase.

● Query Language: One of CodeQL's standout features is its query language, which allows
developers to write queries to explore the code. These queries can be customized to find
specific types of errors or issues.

● How It Was Used in the Project:

○ Static Analysis: CodeQL was used to perform Static Application Security Testing
(SAST) on the codebase. This means it looked at the code without actually running it
to find potential problems.
○ Custom Queries: In addition to the built-in queries, custom queries were created to
target specific concerns relevant to the project. This allowed for a more tailored
approach to finding issues.
○ Integration with Development Workflow: CodeQL was integrated into the
development environment, allowing for continuous scanning and analysis. This
helped keep the code quality high throughout the project.
○ Finding and Fixing Vulnerabilities: CodeQL was instrumental in discovering
vulnerabilities ranging from minor to critical. It helped not only in identifying issues
but also in guiding the process of fixing them, leading to more robust and secure
code.
○ Collaboration with Other Tools: CodeQL was used in conjunction with other tools
in the tech stack, creating a comprehensive analysis framework. Its findings were
often the starting point for further manual testing and validation.
 Manual Deployment of CodeQL

Introduction

Code Quality Query Language (CodeQL) is a robust tool employed by developers to investigate
source code for vulnerabilities and bugs. The process of deploying CodeQL manually into a system
involves several stages, each fulfilling a specific purpose. The following section delves into these
stages, providing a detailed explanation of the commands and processes involved.

Creating a CodeQL Database for JavaScript Codebase

Command:

codeql database create js-database --language=javascript --source-root

/home/yash/web-app

Detailed Explanation:

● Purpose: The primary purpose of this command is to set up a new database that CodeQL can
use to analyze JavaScript code.
● Command Breakdown:
○ codeql database create: This part of the command instructs CodeQL to
create a new database.
○ js-database: This is the name given to the new database.
○ --language=javascript: Specifies that the database is for JavaScript code.
○ --source-root /home/yash/web-app: Defines the root directory of the
source code to be analyzed.
● Outcome: As a result, a new CodeQL database is created, allowing subsequent commands to
perform analyses on the specified JavaScript codebase.
Analyzing the Codebase with CodeQL's Built-in Queries

Command:

codeql database analyze js-database

/home/yash/Downloads/codeql1/codeql/javascript/ql/src/codeql-suites/java
script-lgtm-full.qls --format=sarif-latest --output=results.sarif

Detailed Explanation:

● Purpose: This command's goal is to analyze the previously created js-database using
specific queries tailored for JavaScript.
● Command Breakdown:
○ codeql database analyze: Initiates the analysis process on a specified
database.
○ js-database: Refers to the database to be analyzed.
○ --format=sarif-latest: Specifies the output format as the latest version of
SARIF.
○ --output=results.sarif: Defines the output file to store the results.
● Outcome: The command produces a detailed analysis report in SARIF format, encapsulating
the findings and insights derived from the examination.
Encoding the Results

Command:

encoded_data=$(gzip -c results3.sarif | base64 -w0)

Detailed Explanation:

● Purpose: This command compresses and encodes the SARIF results file, preparing it for
transmission or storage.
● Command Breakdown:
○ gzip -c results3.sarif: Compresses the results3.sarif file using the
gzip compression algorithm.
○ base64 -w0: Encodes the compressed data in base64 format without line
wrapping.
○ encoded_data=$(...): Stores the encoded data in a variable named
encoded_data.
● Outcome: The command yields a base64 encoded representation of the compressed SARIF
results, ready for further manipulation or transmission.
● Relevance to Project: Encoding the results ensures integrity and enables secure handling,
whether it's for storage or sharing with external systems.

Creating a JSON Payload

Command:

echo
"{\\"commit_sha\\":\\"ae2a4f5aae3a43c6747209a5c06abbf7ffd5c753\\",\\"ref
\\":\\"refs/heads/main\\",\\"sarif\\":\\"$encoded_data\\",\\"started_at\
\":\\"$(date -u -Iseconds)\\",\\"tool_name\\":\\"codeQL\\"}" >
encoded-file.json

Detailed Explanation:

● Purpose: This command constructs a JSON payload containing various details, including the
encoded SARIF data.
● Command Breakdown:
○ echo: Prints the following string to the standard output.
○ "{\\"commit_sha\\":...\\"codeQL\\"}": The JSON payload string,
containing information such as commit SHA, reference, encoded SARIF data,
timestamp, and tool name.
○ > encoded-file.json: Redirects the printed string into a file named
encoded-file.json.
● Outcome: The command creates a JSON file containing the specified payload, ready for
further use.
Sending the Results to GitHub

Command:

curl -L -X POST -H "Accept: application/vnd.github+json" -H

"Authorization: Bearer YOUR_TOKEN_HERE" -H "X-GitHub-Api-Version:
2022-11-28"
<https://api.github.com/repos/onyx243/fin/code-scanning/sarifs> -d
@encoded-file.json

Detailed Explanation:

● Purpose: This command sends the JSON payload to GitHub's code scanning API, allowing
the results to be processed and reviewed on GitHub.
● Command Breakdown:
○ curl: A command-line tool used for transferring data with URLs.
○ -L: Follows redirects.
○ -X POST: Specifies the request method as POST.
○ -H: Adds headers for content type, authorization, and API version.
○ -d @encoded-file.json: Includes the data from the encoded-file.json
file in the request body.
● Outcome: The command transmits the encoded analysis results to GitHub, where they can be
accessed, reviewed, and acted upon.
● Relevance to Project: Sending the results to GitHub enables seamless integration with
existing workflows, fostering collaboration and continuous improvement.
Certain PR’s were created to fix issues detected by CodeQL:

PR#1: Correct Permissions for Create and View Standing Instructions Actions PR#1

Issue

In the existing system, there was a misalignment between the permissions assigned to 'Create' and
'View Standing Instructions' actions. Specifically, the permissions for READ and CREATE
operations were swapped, leading to potential security and functional inconsistencies.

Solution

The pull request corrected the permissions by swapping the READ and CREATE operations to their
correct functionalities. The code snippet below highlights the changes made:

<button mat-menu-item (click)="doAction('Create Standing Instructions')"

*mifosxHasPermission="'READ_STANDINGINSTRUCTION'">Create Standing
Instructions</button>
<span *ngIf="clientViewData.status.value!='Transfer on hold'">
<button mat-menu-item (click)="doAction('View Standing Instructions')"
*mifosxHasPermission="'CREATE_STANDINGINSTRUCTION'">View Standing
Instructions</button>
</span>

By ensuring that the permissions align with the respective actions, this change enhances both the
security and the integrity of the application's standing instructions functionality.
PR#2: FINERACT-1724 Refactor Logging: Transition from java.util.logging to SLF4J
PR#2

Issue

The existing codebase was using java.util.logging for logging activities, which is less
flexible and outdated compared to modern logging frameworks like SLF4J.

Solution

The pull request refactored the logging system to transition from java.util.logging to Simple
Logging Facade for Java (SLF4J). This was achieved by changing the import statements and
modifying the logging method calls to be compatible with SLF4J. Here's an example of the changes:

Before:

LOG.log(Level.WARNING, "Expected " + JSON_MESSAGE_ID + " or " +

JSON_ERROR + " found: " + responseBody);

After:

LOG.warn("Expected {} or {} found: {}",

JSON_MESSAGELOG.log(Level.WARNING, "Expected " + JSON_MESSAGE_ID + " or
" + JSON_ERROR + " found: " + responseBody);

This change modernizes the logging infrastructure, providing more flexibility and configurability,
and aligns with best practices in software development.
PR#3: Fixes DOM text reinterpreted as HTML vulnerability detected by CodeQL #3527
PR#3

Issue

The existing code in the XBRL Report Controller was constructing an HTML table by concatenating
strings. This approach risked exposing the application to injection attacks if inputId or
$(this).text() were controlled by a user and contained a malicious script. An attacker could
potentially inject malicious code that would be executed as a script, leading to various security risks.

Solution

The pull request addressed this vulnerability by creating jQuery objects for each HTML element and
setting their attributes and text content separately. This ensures that no untrusted string can be
interpreted as HTML, treating potentially malicious content as plain text instead of executing it as a
script. The changes included creating a table and rows using jQuery and appending them
appropriately. Here's a snippet of the changes:

Before:

var html = "<table width='100%'

border='1'><tr><th>Title</th><th>Dimension</th><th>Value</th></tr>";
html += '<tr>';
html += '<td>' + this.tagName + '</td>';
html += '<td>' + context + '</td>';
html += '<td><input type="text" class="report" id="' + inputId + '"
value="' + $(this).text() + '" ></td>';
html += '</tr>';
$("#xbrlreport").html(html);

After:
var table = $("<table width='100%' border='1'></table>");
var row = $("<tr></tr>");
row.append('<td>' + this.tagName + '</td>');
row.append('<td>' + context + '</td>');
var input = $('<td><input type="text" class="report"></td>');
input.find('input').attr('id', inputId).val($(this).text());
row.append(input);
table.append(row);
$("#xbrlreport").empty().append(table);

By separating the creation of HTML elements from their content, the code ensures that even if
inputId or $(this).text() are controlled by a user and contain malicious script, they will
not be executed, enhancing the security of the application.
PR#4: changed min="minDate" to min="first.date" #3529 PR#4

Issue

In certain parts of the application, the constraint on the end date was not ensuring that the end
date selected is always after the start date. This could lead to incorrect date selections and
potentially cause logical errors in the application.

Solution

This pull request rectifies this issue by changing the min attribute value from minDate to the
correct reference to the start date. The changes were made in two different files:

File: app/views/loans/viewloanaccountdetails.html

Before:

<input id="endDate" name="endDate" sort type="text" datepicker-pop="dd

MMMM yyyy" ng-model="formData.endDate"
class="form-control" is-open="opened" min="minDate" required />

After:

<input id="endDate" name="endDate" sort type="text" datepicker-pop="dd

MMMM yyyy" ng-model="formData.endDate"
class="form-control" is-open="opened" min="first.date" required
/>

These changes ensure that the minimum allowed value for the end date corresponds to the selected
start date, thus enforcing that the end date is always after the start date.
Impact

By making this change, the application now enforces logical constraints on date selection in the
affected views, preventing users from accidentally selecting end dates that precede start dates. This
helps maintain data integrity and ensures that date-related logic in the application behaves as
expected.
PR#5: Fixes Incomplete URL substring sanitization vulnerability detected by CodeQL #3521
PR#5

Issue

The codebase contained a vulnerability related to the sanitization of URL substrings. The
vulnerability was due to an improper check on the host value of URLs, and the code was susceptible
to URL spoofing attacks.

Solution

This pull request addresses the vulnerability by parsing the URL and performing a precise check on
its host value. The key changes made in the code include:

1. Parsing the Hostname: The code now splits the hostname and extracts the last two parts to
ensure that the check handles arbitrary subdomain sequences correctly.
2. Exact Match Check: Instead of using indexOf, which could lead to false positives, the code
now uses an exact match to check if the hostname is 'mifos.io'.
3. Subdomain Check: The statement domains.slice(-2).join('.') ===
'mifos.io' checks if the last two parts of the hostname are 'mifos.io'.
4. EndsWith Method: The code also uses the endsWith method to check if the hostname
ends with 'mifos.io', adding an extra layer of verification.

The changes were made in the following file:

File: app/scripts/initialTasks.js

// Before
if (mainLink.hostname.indexOf('mifos.io') >= 0) { ... }
// After
var lastTwoParts = mainLink.hostname.split('.').slice(-2).join('.');
if (lastTwoParts === 'mifos.io') { ... }

Impact

These changes significantly improve the security of the code by ensuring that URL substrings are
sanitized correctly. By using precise checks on the host value, the code is no longer vulnerable to
URL spoofing attacks related to the original code's handling of subdomains. This enhances the
overall integrity of the application and reduces potential attack vectors.
PR#6: Fixes Potentially unsafe external link detected by CodeQL #3525 PR#6

Issue

The codebase was found to contain potentially unsafe external links. External links that open in a
new browsing context without proper attributes can expose the application to certain security risks,
such as the exploitation of the window.opener API.

Solution

This pull request resolves the issue by adding specific attributes to all external links within the code.
The changes include:

1. Adding Attributes: The rel="noopener noreferrer" attribute is added to external

links. This ensures that when an external link is clicked, the new page runs in a separate
process and does not have access to the window.opener property of the originating page.
2. Files Affected: A total of 20 files were changed, with 39 additions and 39 deletions,
reflecting the consistent application of the fix across the codebase.

Here's an illustrative example of the change:

<!-- Before -->

<a href="https://example.com" target="_blank">External Link</a>

<!-- After -->

<a href="https://example.com" target="_blank" rel="noopener
noreferrer">External Link</a>

Impact

The changes in this pull request enhance the security of the application by preventing potential
exploitation of the window.opener API. By adding the rel="noopener noreferrer"
attribute to external links, the code ensures that external pages cannot manipulate the originating
page, thus mitigating a known security risk.

This pull request reflects a best practice in web development and demonstrates a commitment to
maintaining a secure codebase.
PR#7 Fixes Use of Implicit PendingIntents Vulnerability Detected by CodeQL #1980 PR#7

Description:

By setting the FLAG_IMMUTABLE, the Android system is informed that once the PendingIntent is
created, it can't be altered by any other app, making it much more difficult for malicious apps to
exploit.

Changes:

// Before
PendingIntent intentBroadCast = PendingIntent.getBroadcast(this, 0,
resultIntent,
PendingIntent.FLAG_UPDATE_CURRENT);

// After
PendingIntent intentBroadCast = PendingIntent.getBroadcast(this, 0,
resultIntent,
PendingIntent.FLAG_UPDATE_CURRENT |
PendingIntent.FLAG_IMMUTABLE);
PR#8 Fixes Uncontrolled data used in path expression vulnerability detected
by CodeQL PR#8

Description

The pull request addresses the "Uncontrolled data used in path expression" vulnerability
detected by CodeQL. The vulnerability could potentially lead to path traversal attacks.

Solution

The proposed fix ensures that only the file name from the path is obtained and used to
create a new file in a secure directory, specifically the app's own files directory. By doing
this, the app avoids accessing unexpected or unauthorized directories.

Changes

Before:

filePath = FileUtils.getPathReal(getActivity(), uri);

if (filePath != null) {
fileChoosen = new File(filePath);
}

After:

filePath = FileUtils.getPathReal(getActivity(), uri);

if (filePath != null) {
fileChoosen = new File(filePath);
}

This code change ensures that the file path is securely handled, mitigating the risk
associated with uncontrolled data.
 CONCLUSION

Testing and improving web applications is a bit like taking care of a garden. You have to look closely,
find the weeds and bugs, and then carefully remove them so the garden can thrive. This project was
all about doing that for two important financial tools: the Mifos X platform and Apache Fineract.

The project set out with clear goals: find problems, test how things work, and fix what's wrong.
Using a set of handy tools and technologies, the project dug into the code of these platforms, found
the mistakes, and came up with ways to fix them. Just like a gardener uses different tools for different
jobs, this project used various tools like Burp Suite, CodeQL, Trivy, npm audit and more to look at
the platforms from every angle.

But the project wasn't just about finding and fixing problems. It was also a chance to learn and grow.
By working on real-world problems, new skills were learned, and knowledge was gained about how
to test and improve web applications.

The work done here matters to many people. Banks, businesses, and ordinary people all rely on tools
like Mifos X and Apache Fineract. By making sure they work well and can be trusted, this project
has helped make the online world a little bit better and more reliable.

In the end, this project shows that with the right tools, a clear plan, and some hard work, it's possible
to make a real difference. Just like a well-tended garden can bloom and grow, so can web
applications when they're cared for and looked after.
 REFERENCES
CodeQL Query Language Documentation: An extensive guide to writing queries in CodeQL.

● CodeQL Language Reference

CodeQL Query Library: A collection of existing queries used to find security vulnerabilities in
code.

● CodeQL GitHub Repository

CodeQL Learning Resources: Comprehensive learning resources for CodeQL.

● CodeQL Learning Hub