Strengthening Security for Human Rights Defenders: Uwazi Penetration Test

We are honored to be a partner in the Open Technology Fund's (OTF) Security Lab and proud to contribute to this important work. Recently, we had the opportunity to perform a penetration test on Uwazi, developed by HURIDOCS. This test, sponsored by OTF, focused on identifying and mitigating potential security vulnerabilities.

The Uwazi web application is a free, open source database for human rights defenders, journalists, activists, and researchers to securely manage eyewitness videos, testimonies, and other human rights documentation.

Key Findings

The penetration test uncovered a total of eleven security issues, including one vulnerability rated "critical". Our report, which is publicly available, outlines the issues in detail, alongside recommended mitigations.

The team at HURIDOCS responded rapidly to address all vulnerabilities, demonstrating their commitment to protecting the users. Their dedication to securing Uwazi ensures that the platform can be safely used without compromising sensitive data.

The Importance of Securing Password Reset Functionality

The critical vulnerability was found in the password reset functionality, a common source of severe vulnerabilities. Insecure password reset mechanisms can easily lead to account compromise, making it a prime target for malicious actors. As highlighted by the OWASP Web Security Testing Guide, this functionality requires particular attention when conducting penetration tests. This is particularly true in open source projects. Typically in web apps, these vulnerabilities can be difficult to identify since the algorithm, e.g. to generate reset tokens, is obscured by the lack of source code access. This potentially decreases the risk rating, since the likelihood of exploitation is lower. However, in open source projects the code is available for anyone to review, making this a critical vulnerability.

The OWASP Forgot Password Cheat Sheet is a source for good security practices to reduce the risk of account compromise through password reset vulnerabilities.

Concluding remarks

Our sincere thanks to the HURIDOCS team for their collaboration and professionalism throughout this process. From the initial scoping of the test to the final remediation of vulnerabilities, the team was highly engaged, ensuring that all issues were promptly addressed.

We would also like to express our gratitude to the Open Technology Fund for funding this audit. Their efforts to enhance the security of tools used by at-risk communities play a critical role in ensuring the safety of human rights defenders globally.

We are proud to have worked with HURIDOCS and the Open Technology Fund, and we look forward to more opportunities to contribute to securing tools that protect the most vulnerable.

"The HURIDOCS team is incredibly grateful to Assured for delivering a high-quality, granular and robust audit of our flagship database tool Uwazi. All aspects of our collaboration went smoothly and were very well coordinated. We want to convey our thanks to their specialists for uncovering vulnerabilities that have not been caught before and for providing prompt and additional guidance on making the fixes. We also want to say a special thank you to the Security Lab over at the Open Technology Fund who made this audit possible by providing support and matching us with Assured."

-- HURIDOCS

References:

• Full penetration test report: Uwazi Web Application
• Open Technology Fund's Security Lab
• OTF's blog post
• HURIDOCS
• Uwazi
• Uwazi source code
• HURIDOCS' blog post
• OWASP Web Security Testing Guide: Testing for Weak Password Change or Reset Functionalities
• OWASP Forgot Password Cheat Sheet