Skip to content

Volume 18 · Security Review Findings (Deep Redo)

เล่มนี้เป็น security review ระดับแพลตฟอร์ม ที่ import Critical/High จาก Deep Redo scorecards (Wave 1–2) และจาก addendum ใน Volume 12.5 / Volume 17.4

English: Platform-level security review that reconciles shallow Vol 17/18 numbers with Deep Redo scorecards. Do not treat the old “44 Critical / 275 debt items” counts as final until mobile/OCR agents finish — use deep IDs (SEC-*, CRIT-*, CORR-SSO-01) as canonical.


Canonical inputs (อ่านก่อนใช้เล่มนี้)

SourceRole
Vol 12.5 Critical addendumBackdoor / secrets / SQLi / auth-failure clusters
Vol 17.4 Debt addendumMust-merge Critical IDs + systemic patterns
Sample deep scorecardsbenefit-api/06, 2way-api/04, meeting-vtrc-api/04, vtrc-api/10
Per-service scorecardsVolumes 3–9 (*-scorecard.md)

กฎ citation: ทุก claim ในเล่มนี้อ้าง scorecard ID + file:line (+ branch เมื่อไม่ใช่ default) — ไม่ invent finding นอก scorecard/addendum


Chapters

#ChapterFocus
1Platform attack surface mapWho can hit what without auth; entry points by group
2Top-20 Critical remediation runbookOrdered fix steps with evidence + acceptance checks
3Shared-secret blast radiusJWT / sa / SSO AES / mobile RSA clusters
4Auth mechanism failuresBackdoors, @Public(), broken verify, SSO dead
5Prioritized 90-day security planDays 0–30 / 31–60 / 61–90 gates

Post Deep Redo — how to read severity

Cluster (from Vol 12.5)Example IDsWhy it matters
Backdoor / bypassSEC-2WAYAPI-01, SEC-2WAYVTRC-01, SEC-CU-04, CRIT-03, SEC-MTVTRC-05Full admin or open API without real identity
Secrets in gitSEC-BENEFIT-01, SEC-RECRUIT-01, SEC-PMS-02, SEC-MTVTRC-01, …Credential + shared JWT forge across services
SQL injectionSEC-BENEFIT-02, SEC-2WAYAPI-03, SEC-RECRUIT-02, SEC-CHAT-01Read/write beyond intended rows
Command / dangerous execSEC-VTRC-API-01, SEC-VTRC-API-03RCE / unauth deploy trigger
Frontend token / XSSSEC-VTRC-RC-02, SEC-BONEW-01, SEC-VTRC-WEB-02Session theft via URL/history/XSS
Broken auth designCORR-SSO-01, SEC-2WAYAPI-05, SEC-WORKFLOW-01Guards look real but do not verify

อย่าใช้ตัวเลข 48 จาก Vol 12.3 หรือ 275 จาก Vol 17 index เป็น final — Deep Redo เพิ่ม/ยกระดับ Critical หลายตัว (ดู Vol 12.5 / 17.4)


Platform groups in scope

Internet / staff browsers / mobile / LINE

        ├── Web Frontends (vtrc-web, vtrc-rc-backoffice, vtrc-backoffice*, recruitment-web)
        ├── Legacy GraphQL (vtrc-api → cu-central-api)
        ├── NestJS centralize-api (REST; @Public 17/17 — CRIT-03)
        ├── 2way Platform (2way-api, 2way-vtrc-api, 2way-line-service, …)
        ├── Domain Microservices (benefit, recruit, pms, ai-recruit, chat, workflow, common, sso, jobsched)
        ├── Meeting (meeting-vtrc-api — global /secure/* auth commented)
        └── Mobile (vtrc-mobile, new-vtrc-mobile — RSA private in bundle)

รายละเอียดพื้นผิวโจมตี → Chapter 1


ROI order (platform — from Vol 12.5)

  1. Rotate ทุก secret ที่หลุดใน git + git filter-repo
  2. ลบ backdoor (i3admin, testnaja, signinbypass) + ปิด @Public() ที่ write/PII
  3. Parameterized SQL ทั้ง injection cluster
  4. แทนที่ execSync qpdf (SEC-VTRC-API-01)
  5. SSO redesign (CORR-SSO-01)
  6. HttpOnly cookie / CSP / DOMPurify ฝั่ง frontend

แผน 90 วันที่แปลง ROI เป็น gate → Chapter 5


What this volume is / is not

IsIs not
Operational security review for engineers + IRPenetration-test report with live exploit results
Citation-backed from scorecardsInventory of Medium/Low hygiene (see Vol 17)
Bilingual EN+TH for exec + implementersReplacement for Vol 12 architecture narrative

ไป 1 · Attack surface map