Overview

e-Despatch is an online system for tracking and managing the movement of official documents in the Indian state of Odisha. It is designed to streamline the process of sending and receiving official documents between different departments and agencies within the state government. The system allows users to track the status of their documents in real-time, and provides features such as document scanning, digitization, and electronic signature. It aims to improve the efficiency and transparency of the government’s document management process.

Client:
e-Despatch
Industry:
Government of Odisha
Services:
Web Application Security Audit
Company:
Odisha Computer Application Center
Development Company:
CSM Technologies Pvt. Ltd.

Challenge

The e-Despatch portal is a crucial application for Govt. Of Odisha through which the official documents are exchanged securely in between different departmental users. This makes it mandatory to have proper security implementations throughout the application as it stores, process and fetch highly confidential state govt Data.

Dealing with any Govt. Assets for security audit is always challenging. The challenge for us to perform a penetration testing against the portal following the Cert-in Security Checklist along with other security frameworks like OWASP top 10 and SANS 25. The security testing is focused with securing the integrity and confidentiality of the data. Additionally , as the portal deals with different number of privileges , we have to check thoroughly for the permission based access controls.

Solution

At first we have gone through the workflow of that application to understand it better before doing any security testing there. Each and every test was done under a host hosted on the staging server. We have started the audit With a team of 4 experienced penetration testeres, we divide each one to separate modules for completing the project before the deadline. As per procedures we initiated an automation scan( using paid enterprise tools) against the target and found several low hanging bugs. During the time of manual testing , our team first engaged themselves with black box testing and found that the application is vulnerable for disclosing sensitive information to the public users and few of the departmental user’s accounts can be taken over. After completing the white-box testing, our team came to an end with a total of 17 bugs including low to critical vulnerabilities.

The team now has all the required evidences , root causes and preventions for the bugs we have found. We made a detailed security report v1.0 and coordinated continuously with the team of developers for fixing out all the raised security issues. After few days we confirmed the raised issues to be addressed by the dev team and provided them the final 2.0 version.

Results

Threatsys have completed the security audit on time and was happy to issue the Cert-In Ready to host certificate for that portal. The portal e-Despatch Odisha was being hosted into the state data centre. Now the portal is secure enough from the external threats and the highly sensitive data are processed , stored and fetched flawlessly.