Introduction
We express our gratitude to the VOOX team for the collaborative engagement that enabled the execution of this Pentest.
VOOX is a global cryptocurrency exchange platform, established in 2022, that leverages AI technology to offer services like spot trading, futures, and P2P trading.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for VOOX |
| Audited By | Sam Ronald |
| Approved By | Stephen Ajayi |
| Website | https://voox.com→ |
| Changelog | 22/01/2025 - Preliminary Report |
| Changelog | 04/02/2025 - Final Report |
| Platform | Web |
| Tags | Blackbox |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for VOOX
- Audited By
- Sam Ronald
- Approved By
- Stephen Ajayi
- Website
- https://voox.com→
- Changelog
- 22/01/2025 - Preliminary Report
- Changelog
- 04/02/2025 - Final Report
- Platform
- Web
- Tags
- Blackbox
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| Web URLS, | voox.com, activity.voox.com, affiliates.voox.com, otc.voox.com, support.voox.com, blog.voox.com, |
Review Scope
- Web URLS,
- voox.com, activity.voox.com, affiliates.voox.com, otc.voox.com, support.voox.com, blog.voox.com,
Protect your dApp with insights like these.
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
The project a Black Box Test, focusing on the external functionality of the system without any knowledge of its internal structures or code. The test encompasses the following URLs to ensure comprehensive coverage of the platform's key functionalities:
voox.com
activity.voox.com
affiliates.voox.com
otc.voox.com
support.voox.com
blog.voox.com
This approach ensures that all user-facing aspects of the platform are evaluated for performance, reliability, and functionality.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-8083 | Misconfigured Cross-Origin Resource Sharing (CORS) | fixed | Medium | |
| F-2025-8159 | Missing Security Headers | accepted | Observation | |
| F-2025-8104 | Content Security Policy (CSP) Not Implemented – Leading to Script Injection Vulnerability | accepted | Observation | |
| F-2025-8326 | Improper Session Management with Concurrent Login Weakness | accepted | Observation | |
| F-2025-8345 | Improper Input Validation | accepted | Observation |
Uncover findings like these to secure your project.
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following urls:
Scope Details | |
|---|---|
| Web URLS | voox.com, activity.voox.com, affiliates.voox.com, otc.voox.com, support.voox.com, blog.voox.com |
Scope Details
- Web URLS
- voox.com, activity.voox.com, affiliates.voox.com, otc.voox.com, support.voox.com, blog.voox.com