Tahoon API - Security Audit¶

Executive Summary¶

The Tahoon API demonstrates a strong security-first approach with multiple layers of protection. However, several critical vulnerabilities and security gaps were identified that require immediate attention.

Overall Security Rating: ⚠️ B+ (Good with Critical Gaps)

Key Strengths:
- Multi-layered security architecture
- Strong encryption implementation (AES-256)
- Request integrity validation (HMAC-SHA256)
- ID obfuscation for all sensitive identifiers
- Multi-tenant isolation

Critical Vulnerabilities:
- 🔴 Exception details exposed to clients
- 🔴 Hardcoded secrets in configuration files
- 🔴 No rate limiting
- 🔴 Missing audit logging
- 🟡 Weak password hashing (SHA-256 without salt)

Table of Contents¶

1. Authentication & Authorization Security
2. Data Protection
3. Input Validation
4. Cryptography
5. API Security
6. Database Security
7. Third-Party Integration Security
8. Configuration Security
9. Vulnerability Assessment
10. Compliance & Privacy
11. Security Recommendations

1. Authentication & Authorization Security¶

1.1 JWT Token Security¶

Status: ✅ Generally Secure with Gaps

Strengths¶

✅ HMAC-SHA256 Signing: Strong algorithm
✅ Token Expiration: 24-hour lifetime
✅ Issuer/Audience Validation: Prevents token reuse across services
✅ Custom Claims: OrganizationId isolation

Vulnerabilities¶

🔴 CRITICAL: Hardcoded JWT Secret

// appsettings.json (COMMITTED TO REPOSITORY)
{
  "Jwt": {
    "Key": "7955BF0A-8507-4214-B494-8B2B5F1BF150"
  }
}

Impact: If repository is exposed, attackers can:
- Generate valid tokens for any organization
- Impersonate legitimate organizations
- Access all tenant data

Severity: CRITICAL

Recommendation:
- Move to Azure Key Vault or environment variables
- Rotate secret immediately
- Use at least 256-bit random key (current is UUID, only 128-bit)

🔴 CRITICAL: No Token Refresh Mechanism

Issue: Tokens expire after 24 hours, requiring full re-authentication

Security Risk:
- Credentials transmitted more frequently
- Higher attack surface window

Recommendation:
- Implement refresh token flow
- Use short-lived access tokens (15 minutes) + long-lived refresh tokens

🟡 MEDIUM: No Token Revocation

Issue: Compromised tokens cannot be invalidated before expiry

Code Location: No blacklist or revocation mechanism exists

Recommendation:
- Implement token blacklist (Redis cache)
- Add /api/auth/revoke endpoint
- Check blacklist in JWT validation middleware

1.2 Organization Authentication¶

Status: ✅ Secure

Code: AuthController.GetToken()

// Validates grant_type
if (request.GrantType != "password")
    return Unauthorized();

// Database lookup by access key
var response = _authRepository.Authenticate(request.AccessKey);

if (string.IsNullOrEmpty(response?.SharedAPIKey))
    return Unauthorized();

✅ Strengths:
- Database-backed validation
- No direct SQL injection risk (stored procedure)
- Returns minimal information on failure

⚠️ Weakness: No brute-force protection

Recommendation: Add rate limiting to token endpoint

1.3 Authorization Enforcement¶

Status: ⚠️ Partially Secure

Multi-Tenant Isolation¶

✅ Good: Organization ID extracted from JWT

string? organizationId = User.FindFirst("OrganizationId")?.Value;

✅ Good: User ownership validation

var validateUser = await _userRepository.ValidateOrganizationUserId(
    userId, organizationId);

Gaps¶

🟡 MEDIUM: Missing Role-Based Access Control

Issue: All organizations have identical permissions

Scenario: Cannot distinguish between:
- Read-only integrations
- Full-access integrations
- Administrative access

Recommendation:
- Add Role claim to JWT (Admin, ReadWrite, ReadOnly)
- Implement policy-based authorization
- Enforce at controller level

2. Data Protection¶

2.1 ID Encryption¶

Status: ✅ Well Implemented

Algorithm: AES-256-CBC + Base64URL

Code: SecurityHelper.EncryptId(), EncryptedModelBinder

✅ Strengths:
- All sensitive IDs encrypted in transit
- Automatic decryption via model binding
- URL-safe encoding
- Prevents sequential ID guessing

Encryption Flow:

PlainID (12345)
    ↓
AES-256-CBC Encrypt
    ↓
Base64 Encode
    ↓
URL-Safe Transform (+ → -, / → _, remove =)
    ↓
Encrypted: "Kx3mF-2pL_9qR"

Minor Issues¶

🟡 LOW: Weak Iteration Count

Code: Cryptography class

private int _iterations = 2;  // ❌ Too low

Recommendation: Use at least 10,000 iterations (OWASP recommendation: 310,000 for PBKDF2-SHA256)

🟡 LOW: SHA1 in Key Derivation

Code:

var key = new Rfc2898DeriveBytes(passPhrase, saltBytes, _iterations, 
    HashAlgorithmName.SHA1);  // ❌ SHA1 deprecated

Recommendation: Use HashAlgorithmName.SHA256

2.2 Connection String Encryption¶

Status: ✅ Secure Approach, ⚠️ Implementation Gaps

Code: BaseRepository.DecryptConnectionString()

✅ Strengths:
- Credentials encrypted at rest
- Decrypted only in memory
- Per-component encryption

🔴 CRITICAL: Encryption Keys in appsettings.json

{
  "SecuritySettings": {
    "AESKey": "pH2uJjFtaE4n+Kk3QfCNrX4lZkZcPbqP5gVZAp1o0P8=",
    "AESIV": "q6JxgUuToRnQmTnOKGh3Nw==",
    "PassPhrase": "55C9F5A8-17B8-4783-ABB1-D9AC7C3CF9BB",
    "Salt": "2GlHRj2MxxxC2Dnn",
    "Vector": "8WhO95QaRasSxsfh",
    "EncryptionPassword": "Password*1"
  }
}

Impact: If config file exposed:
- Database credentials can be decrypted
- All encrypted data compromised
- ID encryption broken

Recommendation:
- Move keys to Azure Key Vault
- Use managed identities for database access
- Rotate keys quarterly

2.3 Password Hashing¶

Status: ⚠️ Weak Implementation

Code: SecurityHelper.GeneratePassword()

public string GeneratePassword(string password)
{
    using (var sha256 = SHA256.Create())
    {
        byte[] bytes = Encoding.UTF8.GetBytes(password);
        byte[] hash = sha256.ComputeHash(bytes);
        return Convert.ToBase64String(hash);
    }
}

🔴 CRITICAL Issues:
1. No Salt: Vulnerable to rainbow table attacks
2. No Iterations: Fast hashing enables brute-force
3. SHA-256: Not designed for password hashing

Modern Alternative:

// Use Argon2id or bcrypt
using var argon2 = new Argon2id(Encoding.UTF8.GetBytes(password))
{
    Salt = GenerateRandomSalt(16),
    DegreeOfParallelism = 8,
    Iterations = 4,
    MemorySize = 65536
};
return Convert.ToBase64String(argon2.GetBytes(32));

Note: This may not be actively used in Tahoon API (for main Psyter API)

Recommendation:
- Implement Argon2id or bcrypt
- Add per-user salt
- Use at least 10 iterations

3. Input Validation¶

3.1 Anti-XSS Protection¶

Status: ✅ Good Coverage

Implementation: ValidateAntiXSSAttribute, AntiXssAttribute

Detection Pattern:

var xssPattern = @"(?i)<\s*\/?\s*(script|iframe|embed|object|form|style|link|meta|img|svg|marquee|input|button|base|body|video|audio|source|frame|frameset|ilayer|layer|bgsound|title|xml|plaintext|xss)[^>]*>|
                    (on\w+)\s*=\s*(['""]).*?\2|
                    javascript:|data:text\/html|vbscript:|mocha:|livescript:";

✅ Strengths:
- Comprehensive pattern coverage
- Blocks script tags, event handlers, dangerous protocols
- Applied globally via [ValidateAntiXSS] attribute

⚠️ Weaknesses:

🟡 MEDIUM: Regex Bypass Risk

Issue: Complex regex patterns can be bypassed with encoding/obfuscation

Example Bypass Attempts:
- <script> → <scr<script>ipt>
- javascript: → java\nscript:
- Event handlers: on error=

Recommendation:
- Use HTML sanitization library (HtmlSanitizer)
- Encode output (defense in depth)
- Content Security Policy (CSP) headers

🟡 MEDIUM: AllowHTML Mode

Code: AntiXssAllowHTMLAttribute

// Only checks for specific dangerous attributes
Regex r = new Regex(@"(?:formaction|background|lowsrc|ping|on\w+=)", 
    RegexOptions.IgnoreCase);

Risk: More permissive, potential bypass

Recommendation:
- Use whitelist approach (only allow specific safe tags)
- Sanitize instead of validate

3.2 SQL Injection Protection¶

Status: ✅ Secure

Approach: Stored procedures only (no inline SQL)

Code Example: AuthRepository.Authenticate()

using var cmd = CreateDbCommand("Organization_Authenticate_ByApplicationToken", conn);
cmd.Parameters.AddWithValue("@ApplicationToken", appToken);

✅ Strengths:
- Parameterized queries (via stored procedures)
- No string concatenation for SQL
- Database-level input validation

No vulnerabilities detected

3.3 Request Integrity Validation¶

Status: ✅ Excellent

Implementation: ValidateSecureHashAttribute

Algorithm: HMAC-SHA256 using SharedAPIKey

Code:

private string GenerateSecureHash(string data, string key)
{
    using (var hmac = new HMACSHA256(Convert.FromBase64String(key)))
    {
        var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(data));
        return Convert.ToBase64String(hash);
    }
}

✅ Strengths:
- Cryptographically secure (HMAC-SHA256)
- Per-organization secret (SharedAPIKey)
- Prevents request tampering
- Property-level inclusion control

No vulnerabilities detected

3.4 Model Validation¶

Status: ⚠️ Basic

Approach: ASP.NET Core model validation

✅ Good: Required fields validated

if (!ModelState.IsValid)
{
    return StatusCode(400, new BaseResponse { ... });
}

🟡 MEDIUM: Insufficient Validation

Missing Validations:
- Email format validation
- Phone number format validation
- Date range validation (DOB in future?)
- String length limits
- Enum value validation

Example Code Issue: UserController.SubmitUserAssessmentQuestions()

if (request?.ScreeningResult == null || request.UserScreeningAnswers.Any(a =>
        a.CatScreeningQuetionOptionId == null && a.AnswerText == null))
{
    // Only checks for null, not content validity
}

Recommendation:
- Add [StringLength], [Range], [EmailAddress] attributes
- Implement custom validators
- Use FluentValidation library

4. Cryptography¶

4.1 Encryption Algorithms¶

Status: ✅ Modern Algorithms, ⚠️ Weak Configuration

Implementation Summary:

4.2 Key Management¶

Status: 🔴 CRITICAL - Poor Practices

🔴 CRITICAL: Hardcoded Secrets

Files with hardcoded secrets:
1. appsettings.json - JWT key, AES key, IV, PassPhrase, Salt, Vector
2. firebase-adminsdk-live.json - Firebase private key (likely committed)

Impact: Full system compromise if repository exposed

Example:

{
  "Jwt": {
    "Key": "7955BF0A-8507-4214-B494-8B2B5F1BF150"  // ❌ Hardcoded
  },
  "SecuritySettings": {
    "AESKey": "pH2uJjFtaE4n+Kk3QfCNrX4lZkZcPbqP5gVZAp1o0P8=",  // ❌ Hardcoded
    "AESIV": "q6JxgUuToRnQmTnOKGh3Nw==",  // ❌ Hardcoded
    "PassPhrase": "55C9F5A8-17B8-4783-ABB1-D9AC7C3CF9BB",  // ❌ Hardcoded
    "Salt": "2GlHRj2MxxxC2Dnn",  // ❌ Hardcoded
    "Vector": "8WhO95QaRasSxsfh"  // ❌ Hardcoded
  }
}

Recommendation:

# .gitignore additions
appsettings.json
appsettings.*.json
firebase-adminsdk*.json

# Use environment variables or Azure Key Vault
export SecuritySettings__AESKey="..."
export SecuritySettings__AESIV="..."

🔴 CRITICAL: Static IV Reuse

Code: Same IV used for all AES operations

aes.IV = Encoding.UTF8.GetBytes(_settings.AESIV);  // ❌ Static IV

Vulnerability: CBC mode with static IV allows pattern detection

Impact: Identical plaintexts produce identical ciphertexts

Recommendation:
- Generate random IV for each encryption
- Prepend IV to ciphertext
- Extract IV during decryption

4.3 Cryptographic Randomness¶

Status: ⚠️ Not Verified

Issue: No code found generating random values (salts, IVs, tokens)

Recommendation: Ensure use of RandomNumberGenerator (not Random)

// ❌ Weak
var random = new Random();
var salt = random.Next();

// ✅ Cryptographically secure
using var rng = RandomNumberGenerator.Create();
var salt = new byte[16];
rng.GetBytes(salt);

5. API Security¶

5.1 Rate Limiting¶

Status: 🔴 CRITICAL - Not Implemented

Code: No rate limiting middleware found

Vulnerability:
- DDoS attacks
- Brute-force attacks on token endpoint
- Resource exhaustion

Attack Scenarios:
1. Token Endpoint Brute-Force:

POST /api/auth/token (repeated 1000x/sec)
→ Guess access_key

2. Provider Search Spam:
   

   POST /api/careprovider/getcareproviderslistwithschedule
   → Overload database
   

Recommendation:

// Install: AspNetCoreRateLimit
builder.Services.AddMemoryCache();
builder.Services.Configure<IpRateLimitOptions>(options =>
{
    options.GeneralRules = new List<RateLimitRule>
    {
        new RateLimitRule
        {
            Endpoint = "POST:/api/auth/token",
            Limit = 5,
            Period = "1m"
        },
        new RateLimitRule
        {
            Endpoint = "*",
            Limit = 100,
            Period = "1m"
        }
    };
});

Priority: CRITICAL - Implement Immediately

5.2 CORS Configuration¶

Status: ❓ Not Found in Code

Issue: No CORS policy detected

Risk:
- If missing: APIs may not work from web browsers
- If too permissive: CSRF attacks

Recommendation:

builder.Services.AddCors(options =>
{
    options.AddPolicy("TahoonAPI", policy =>
    {
        policy.WithOrigins("https://trusted-partner.com")
              .AllowAnyMethod()
              .AllowAnyHeader()
              .AllowCredentials();
    });
});

5.3 HTTPS Enforcement¶

Status: ✅ Configured

Code: app.UseHttpsRedirection();

✅ Good: HTTPS redirect enabled

🟡 Recommendation: Add HSTS header

app.UseHsts();  // HTTP Strict Transport Security

5.4 API Documentation Security¶

Status: ⚠️ Swagger Enabled in Production

Code: Program.cs

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}
else
{
    app.UseSwagger();  // ⚠️ Enabled in production
    app.UseSwaggerUI(c => { ... });
}

Risk: Information disclosure (API structure, parameters)

Recommendation:
- Disable Swagger in production
- OR require authentication for Swagger UI
- OR use separate URL with IP restrictions

5.5 Error Handling & Information Disclosure¶

Status: 🔴 CRITICAL - Vulnerable

🔴 CRITICAL: Exception Details Exposed

Code: Multiple controllers

catch (Exception ex)
{
    return StatusCode(StatusCodes.Status500InternalServerError, ex);
    // ❌ Full exception object returned to client
}

Example Leaked Information:
- Stack traces (reveals file paths, method names)
- Database errors (table names, schema)
- Third-party API errors (credentials, endpoints)

Production Output Example:

{
  "ClassName": "System.Data.SqlClient.SqlException",
  "Message": "Invalid object name 'UserLoginInfo'.",
  "Data": null,
  "InnerException": null,
  "HelpURL": null,
  "StackTraceString": "   at System.Data.SqlClient.SqlConnection.OnError...",
  "RemoteStackTraceString": null,
  "Source": "System.Data.SqlClient",
  "HResult": -2146232060
}

Fix:

catch (Exception ex)
{
    _logger.LogError(ex, "Error in BookSession");  // Server-side only

    return StatusCode(500, new BaseResponse
    {
        Status = 0,
        Reason = ResponseReason.Error,
        Message = "An error occurred while processing your request."  // ✅ Generic
    });
}

Priority: CRITICAL - Fix Immediately

5.6 Security Headers¶

Status: ❓ Not Implemented

Missing Headers:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Content-Security-Policy
- Referrer-Policy: no-referrer

Recommendation:

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    context.Response.Headers.Add("X-Frame-Options", "DENY");
    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
    context.Response.Headers.Add("Referrer-Policy", "no-referrer");
    await next();
});

6. Database Security¶

6.1 Connection Security¶

Status: ✅ Encrypted Credentials, ⚠️ Configuration Issues

✅ Strengths:
- Connection strings encrypted at rest
- SQL Server authentication (not Windows auth)
- Parameterized queries via stored procedures

🟡 MEDIUM: Connection String in Memory

Issue: Decrypted connection string stored in memory

Recommendation:
- Use managed identities (Azure SQL)
- Avoid storing connection strings altogether

6.2 Least Privilege¶

Status: ❓ Cannot Verify

Unknown: Database user permissions

Recommendation Checklist:
- [ ] Database user should NOT have db_owner role
- [ ] Grant EXECUTE on specific stored procedures only
- [ ] No SELECT, INSERT, UPDATE, DELETE on tables
- [ ] Separate users for different services

6.3 SQL Injection¶

Status: ✅ Protected

Analysis: All database calls use stored procedures with parameters

No vulnerabilities detected

7. Third-Party Integration Security¶

7.1 VideoSDK Integration¶

Status: ⚠️ Secure Communication, Configuration Issues

API Calls: VideoSDKHelper.CreateMeetingAsync()

✅ Strengths:
- HTTPS communication
- JWT authentication
- Token expiration (24 hours)

🟡 MEDIUM: Credentials in Database

Code: Loads from CatAppConfigSetting table

VIDEOSDK_API_KEY = sdkAPIKey.PropertyValue;  // ⚠️ Plaintext in DB
VIDEOSDK_SECRET_KEY = sdkSecretKey.PropertyValue;  // ⚠️ Plaintext in DB

Recommendation:
- Encrypt sensitive config in database
- Or use Azure Key Vault references

7.2 Firebase Cloud Messaging¶

Status: ⚠️ Service Account Key Management

🟡 MEDIUM: Service Account JSON File

Files:
- firebase-adminsdk-live.json
- firebase-adminsdk.json

Risk: If committed to repository, Firebase project compromised

Verification Needed:

# Check if in version control
git log --all --full-history -- "*firebase-adminsdk*.json"

Recommendation:
- Add to .gitignore
- Rotate service account keys if exposed
- Use environment variable with JSON content
- Or use Firebase Admin SDK with Application Default Credentials

8. Configuration Security¶

8.1 Sensitive Data in Configuration¶

Status: 🔴 CRITICAL - Multiple Issues

Hardcoded Secrets Found:

Immediate Actions:
1. Remove secrets from repository
2. Invalidate all exposed credentials
3. Implement secure secret management

8.2 Environment-Specific Configuration¶

Status: ⚠️ Partial

Files:
- appsettings.json (Production)
- appsettings.Development.json (Development)

🟡 MEDIUM: Production Secrets in Repository

Issue: Both files likely in version control

Recommendation:

# Add to .gitignore
appsettings.json
appsettings.*.json
!appsettings.example.json

# Keep template only
appsettings.example.json

9. Vulnerability Assessment¶

9.1 OWASP Top 10 (2021) Analysis¶

9.2 Penetration Testing Scenarios¶

Recommended Tests:

1. Token Brute-Force
   

   # Test rate limiting
   for i in {1..1000}; do
     curl -X POST https://api/auth/token -d "access_key=test$i"
   done
   

2. SQL Injection Attempts
   

   # Test stored procedure protection
   curl -X POST https://api/user/register \
     -d '{"name":"admin'--","dob":"1990-01-01"}'
   

3. XSS Payloads
   

   curl -X POST https://api/user/register \
     -d '{"name":"<script>alert(1)</script>","dob":"1990-01-01"}'
   

4. ID Enumeration
   

   # Test if encrypted IDs can be predicted
   for id in {1..1000}; do
     curl https://api/careprovider/profile/$id
   done
   

5. Exception Information Disclosure
   

   # Trigger errors to leak stack traces
   curl -X POST https://api/sessionbooking/booksession \
     -d '{"invalidfield":"test"}'
   

10. Compliance & Privacy¶

10.1 GDPR Compliance¶

Status: ⚠️ Gaps Identified

Data Subject Rights:

Concerns:
- No user data export endpoint
- No account deletion endpoint
- Unclear data retention policies

10.2 HIPAA Compliance (Healthcare Data)¶

Status: ⚠️ Additional Controls Needed

Requirements:

Gaps:
- No audit logging for PHI access
- No data retention/destruction policies visible
- No backup encryption verification

10.3 PCI DSS (if handling payments)¶

Status: ❓ Payment handling unclear

Code Analysis: Payment references found but implementation unclear

Concerns:
- OrderMain table has payment fields
- Refund logic exists
- No PCI-compliant payment gateway integration visible

Recommendation: If handling payments:
- Use PCI-compliant payment gateway (Stripe, etc.)
- Never store credit card numbers
- Implement tokenization

11. Security Recommendations¶

11.1 Critical (Do Now - Within 1 Week)¶

Estimated Total Effort: 30 hours (1 sprint)

11.2 High Priority (Do Next - Within 1 Month)¶

Estimated Total Effort: 32 hours

11.3 Medium Priority (Plan - Within 3 Months)¶

Estimated Total Effort: 68 hours

11.4 Security Development Lifecycle¶

Recommendations:

1. Pre-Commit:
   - Add git hooks to detect secrets (e.g., detect-secrets)
   - Run SAST scanner (SonarQube, Snyk)

2. CI/CD Pipeline:
   - Dependency vulnerability scanning
   - SAST/DAST automated tests
   - Secrets scanning

3. Code Review:
   - Security-focused code review checklist
   - Peer review all crypto changes

4. Regular Activities:
   - Quarterly security audits
   - Monthly dependency updates
   - Annual penetration testing

12. Security Checklist¶

12.1 Immediate Actions (This Week)¶

• Remove hardcoded secrets from appsettings.json
• Add appsettings*.json to .gitignore
• Rotate JWT signing key
• Rotate encryption keys (AES key, IV, PassPhrase)
• Implement generic error messages (hide exceptions)
• Add rate limiting to /api/auth/token
• Disable Swagger in production OR add authentication
• Review Firebase service account key exposure

12.2 Short-Term Actions (This Month)¶

• Implement global exception handler
• Add security headers middleware
• Implement audit logging (Serilog)
• Add token refresh endpoint
• Implement token blacklist
• Fix static IV issue (generate random IV)
• Increase PBKDF2 iterations to 310,000
• Switch PBKDF2 from SHA1 to SHA256
• Implement Argon2id for password hashing
• Add comprehensive model validation

12.3 Medium-Term Actions (Next Quarter)¶

• Implement role-based authorization
• Add CORS policy
• Migrate secrets to Azure Key Vault
• Implement managed identities for SQL
• Add GDPR data export endpoint
• Add account deletion endpoint
• Conduct penetration testing
• Implement SAST/DAST in CI/CD
• Add security monitoring (Application Insights)
• Document security architecture

13. Conclusion¶

The Tahoon API demonstrates a strong security foundation with multi-layered protection, but suffers from critical configuration and operational security gaps that require immediate attention.

Security Maturity Level: Level 2 (Basic Security) out of 5

Path to Level 3 (Managed Security):
1. Fix critical vulnerabilities (hardcoded secrets, exception exposure)
2. Implement audit logging and monitoring
3. Add rate limiting and DDoS protection
4. Establish security testing in CI/CD

Overall Assessment:
- ✅ Well-Designed Security Architecture
- ⚠️ Configuration Security Needs Improvement
- 🔴 Operational Security Gaps Critical
- ✅ Code-Level Security Generally Good

Primary Risk: Hardcoded secrets in configuration files - If repository is exposed or credentials leak, entire system is compromised.

Recommended Action: Immediately rotate all secrets and implement Azure Key Vault before deploying to production or sharing repository access.