OVERVIEW

joola is an open source data analytics and visualization framework that enable businesses to store data within its engine and later display the data securely in their websites using an advanced Javascript SDK.

joola exposes a set of REST API endpoints responsible for every aspect of the framework, from data store, configuration changes to querying data out. This API is the main scope of this program.

SCOPE

The scope of this program focuses on the REST API exposed by joola. While we will consider ANY security issue raised by this program, we hold the below as our main focus points of concern.

Read more about our API documentation

Token Authorization Every action carried out by joola has an associated security context. The context dictates what permissions and restrictions a user has within the system. This vector focuses on identifying scenarios in which a user can access a restricted API endpoint without a valid token or by impersonating another user.

REST API Execution Context Each API action has a permission associated with it and a user may or may not have a permission to access the API endpoint. The second tier of security happens within the API endpoint itself when a check is made to ensure the user is not trying to access/modify/get a resource that belongs to another workspace.

Data Segregation joola exposes a specific REST API endpoint at query/fetch, this enable users to consume data, but only from their workspace. A great concern would be a user managing to access data that belongs to another workspace, this will result in a data leakage.

YOUR TARGETS

We have setup a few options for you to test our software.

Install A Local Copy joola is free, open source software. You can install a local copy of joola and test against it. It will give you the option to play around with the code and expand your attack vectors. Having a local copy also ensures you'll receive regular code updates, which are frequent.

bash
$ git clone http://github.com/joola/joola
$ git checkout develop

For more details on setting up joola, please refer to the setup guide.

or Use our develop Heroku instance If you prefer testing an already running instance we have an heroku deployment available at https://joola-io-example.herokuapp.com. It supports both HTTP and HTTPs connections. Our Heroku instance will get updated on every successful build of the develop branch, meaning that fixes will be immediately available for evaluation following patches/fixes.

Security Tokens To make your life even easier, we have created two users you can play with either post local installation or on the Heroku instance. You can read more about security tokens on our API documentation

?APIToken=apitoken-demo will grant you superuser permissions. ?APIToken=apitoken-test will grant you limited permissions to the _test workspace. ?APIToken=apitoken-stats will grant you limited permissions to the _stats workspace.

SIMPLE RULES

• Responsibly disclose a previously unknown vulnerability directly to us.
• When using our Heroku instance, please apply Fair Usage and avoid abuse of the Heroku service.
• This vulnerability must significantly compromise the security of a typical joola installation.
• Denial of Service and Social Engineering attacks are unlikely to qualify unless particularly clever.
• Vulnerabilities on the OS/Provider level are out-of-scope.
• Vulnerabilities in other bundled dependencies qualify if they affect a typical joola installation, but are less interesting than vulnerabilities in joola itself.

GETTING STARTED

• You can find the source and start looking for vulnerabilities on GitHub.
• If you want to get in touch with us to ask questions, you can always find us on gitter.

RESPONSE TIMELINE

We will respond to reports within 24 hours. We will fix security issues within 24 hours of confirming them.