About Uwazi

Uwazi is a free, open source database for human rights defenders, Journalists, activists, and researchers to securely manage eyewitness videos, testimonies, and other human rights documentation.

Created in 2017 by veteran human rights technologists HURIDOCS, Uwazi (Swahili for “openness”) is designed to balance the need to share human rights data with the imperative to protect the dignity, privacy, and security of human rights defenders. Information entered into Uwazi can be set as fully private, publicly visible, or “somewhere in between,” as the Uwazi website explains.

Audit Description

OTF’s Security Lab partner Assured performed a “whitebox” audit (a form of testing in which auditors have complete knowledge of the item being tested) of the Uwazi web application from April to May of 2024. The review included penetration testing, source code analysis, and testing of authentication, authorization, and a range of other common vulnerabilities.

Scope

The security audit encompassed the Uwazi web application and API, the implementation of the application code, Uwazi’s use of third-party libraries, and the configuration of the application runtime. The review did not include other services running on the same server, the build and distribution configuration, or the Uwazi production or development environments.

Findings

Primary security risks for Uwazi include attacks that expose sensitive data that could endanger individual human rights defenders or targets of human rights abuse, or attacks seeking to disrupt the operations of human rights organizations. Auditors found the system to be well-protected against most threats in the OWASP Web Security Testing Guide. They identified two significant risks, along with nine other issues ranked with a “medium” or “low-risk” rating.

The two biggest vulnerabilities discovered:

  • A flaw in the password reset function—which uses email IDs and timestamps—that allows an attacker to interrupt the reset process by using a different email ID and guessing the correct timestamp of the request. The auditors recommended replacing timestamps with a cryptographically secure random number generator when creating the reset token. Auditors categorized this vulnerability as “Critical.”
  • A lack of validation of uploaded files allows an authenticated attacker to compromise other accounts by uploading executable files, malware, or HTML or SVG files with embedded JavaScript—all of which could be used to “ride” the session of the targeted user and send a password reset, or hijack the front end to trick the victim into entering their password. The auditors recommended less permissive file upload settings based on a limited set of file types, and categorized this vulnerability as “High.”

Remediation

Assured verified that all the identified vulnerabilities have been successfully fixed with the exception of two low-impact issues, which HURIDOCS considered acceptable risks.


Full Audit Report

Code

Learn more about Uwazi