Possible Vulnerability in ODK Central

1. What is the issue? Please be detailed.
I have successfully installed ODK Central on the local infrastructure. We plan to use this local environment to collect data for a research study that will soon be starting.
I work with one the big organizations and they have their own information security department that usually carries out security vulnerabilities of all systems before being published online. The information security department has conducted security vulnerabilities and identified the following issues that need to be addressed before proceeding with publishing the server.

1. 1.1 No Rate Limiting (Login) - Rate limiting enables a brute-force attack, this is to guess user credentials by systematically trying every possible
   combination. The server does not limit multiple requests by the client, thus the application becomes vulnerable to
   rate limiting attack.
   It was observed that the login page does not enforce rate limiting, allowing an attacker to repeatedly attempt login
   credentials without restriction, facilitating brute-force attacks.
2. Missing HTTP Security Headers - HTTP security headers are a subset of HTTP headers and are exchanged between a web client (usually a browser)
   and a server to specify the security-related details of HTTP communication.
   It was observed that common security headers are missing in the application
3. Obsolete Components (jQuery & Bootstrap) - Obsolete components, which are no longer supported, may pose security risks due to identified vulnerabilities. As
   systems grow and change over time, it is often necessary to update or replace components to keep them secure.
   It is identified that the application is using obsolete components (jQuery v3.6.0 & Bootstrap v3.4.1).

2. What steps can we take to reproduce this issue?
Conduct security vulnerabilities check on the central server,

3. What have you tried to fix the issue?
I have installed f2ban to block ips that unsuccessfully try to login to the central server after 5 successful tries. But this seems to be not working.

Do we have any solutions to the issues the information security department flagged? I would appreciate any help from the team here.

Thank you for using ODK for your research study and for sharing your concerns.

ODK is designed to be accessible to users with limited technical expertise while remaining flexible enough to meet a broad range of needs. These needs can sometimes be in tension with security best practices, and we strive to strike a deliberate balance. You can read more about our threat model at https://docs.getodk.org/security/#threat-model.

Reports of vulnerabilities from automated scans often fail to consider the intentional choices we’ve made to achieve this balance. Regardless, I want to address your individual concerns.

• Rate limiting: Unnecessary because we use BCrypt for password hashing (cost factor: 12).
• JQuery v3.6.0: No known vulnerabilities.
• Bootstrap v3.4.1: We use the CSS component, so no vulnerabilities are possible.
• Security headers: We regularly review headers and don't think any are missing. Please email your findings to security@getodk.org so we can investigate.

You don’t have to take our word for it when it comes to ODK’s security. We work with independent security firms to conduct white-box penetration tests and source code reviews. Transparency is a core value for us, so our most recent audit report is publicly available at https://docs.getodk.org/security/#independent-audits. To quote the auditors:

The testing team also honed in on the authorization business logic implemented by the server code. No negative security ramifications were observed in this area, despite painstaking efforts. The cryptographic functionality, particularly those in the quarantine directory, was also subjected to investigation.

If you are using ODK Cloud, we further secure data with access control, denial-of-service protection, continuous backups, automated upgrades, and more. Since you are self-hosting, I encourage you to review https://docs.getodk.org/security/#hosting-considerations to identify any gaps you may wish to address.

Fortunately, because ODK is open-source, if your organization is not satisfied with the security tradeoffs we’ve made, you are free to make any adjustments you see fit. For example, you can replace our light-usage of JQuery with vanilla JavaScript or modify your Nginx configuration to include any headers you prefer.

In the future, we ask that you do not report vulnerabilities on the community forum or GitHub. Instead, report them to security@getodk.org. We will respond within three business days and, after investigating and addressing the issue, will disclose it responsibly.

@yanokwa, thank you so much for the detailed feedback. This is really helpful.