Volume 18 · Security Review Findings (Deep Redo)
เล่มนี้เป็น security review ระดับแพลตฟอร์ม ที่ import Critical/High จาก Deep Redo scorecards (Wave 1–2) และจาก addendum ใน Volume 12.5 / Volume 17.4
English: Platform-level security review that reconciles shallow Vol 17/18 numbers with Deep Redo scorecards. Do not treat the old “44 Critical / 275 debt items” counts as final until mobile/OCR agents finish — use deep IDs (SEC-*, CRIT-*, CORR-SSO-01) as canonical.
Canonical inputs (อ่านก่อนใช้เล่มนี้)
| Source | Role |
|---|---|
| Vol 12.5 Critical addendum | Backdoor / secrets / SQLi / auth-failure clusters |
| Vol 17.4 Debt addendum | Must-merge Critical IDs + systemic patterns |
| Sample deep scorecards | benefit-api/06, 2way-api/04, meeting-vtrc-api/04, vtrc-api/10 |
| Per-service scorecards | Volumes 3–9 (*-scorecard.md) |
กฎ citation: ทุก claim ในเล่มนี้อ้าง scorecard ID + file:line (+ branch เมื่อไม่ใช่ default) — ไม่ invent finding นอก scorecard/addendum
Chapters
| # | Chapter | Focus |
|---|---|---|
| 1 | Platform attack surface map | Who can hit what without auth; entry points by group |
| 2 | Top-20 Critical remediation runbook | Ordered fix steps with evidence + acceptance checks |
| 3 | Shared-secret blast radius | JWT / sa / SSO AES / mobile RSA clusters |
| 4 | Auth mechanism failures | Backdoors, @Public(), broken verify, SSO dead |
| 5 | Prioritized 90-day security plan | Days 0–30 / 31–60 / 61–90 gates |
Post Deep Redo — how to read severity
| Cluster (from Vol 12.5) | Example IDs | Why it matters |
|---|---|---|
| Backdoor / bypass | SEC-2WAYAPI-01, SEC-2WAYVTRC-01, SEC-CU-04, CRIT-03, SEC-MTVTRC-05 | Full admin or open API without real identity |
| Secrets in git | SEC-BENEFIT-01, SEC-RECRUIT-01, SEC-PMS-02, SEC-MTVTRC-01, … | Credential + shared JWT forge across services |
| SQL injection | SEC-BENEFIT-02, SEC-2WAYAPI-03, SEC-RECRUIT-02, SEC-CHAT-01 | Read/write beyond intended rows |
| Command / dangerous exec | SEC-VTRC-API-01, SEC-VTRC-API-03 | RCE / unauth deploy trigger |
| Frontend token / XSS | SEC-VTRC-RC-02, SEC-BONEW-01, SEC-VTRC-WEB-02 | Session theft via URL/history/XSS |
| Broken auth design | CORR-SSO-01, SEC-2WAYAPI-05, SEC-WORKFLOW-01 | Guards look real but do not verify |
อย่าใช้ตัวเลข 48 จาก Vol 12.3 หรือ 275 จาก Vol 17 index เป็น final — Deep Redo เพิ่ม/ยกระดับ Critical หลายตัว (ดู Vol 12.5 / 17.4)
Platform groups in scope
Internet / staff browsers / mobile / LINE
│
├── Web Frontends (vtrc-web, vtrc-rc-backoffice, vtrc-backoffice*, recruitment-web)
├── Legacy GraphQL (vtrc-api → cu-central-api)
├── NestJS centralize-api (REST; @Public 17/17 — CRIT-03)
├── 2way Platform (2way-api, 2way-vtrc-api, 2way-line-service, …)
├── Domain Microservices (benefit, recruit, pms, ai-recruit, chat, workflow, common, sso, jobsched)
├── Meeting (meeting-vtrc-api — global /secure/* auth commented)
└── Mobile (vtrc-mobile, new-vtrc-mobile — RSA private in bundle)รายละเอียดพื้นผิวโจมตี → Chapter 1
ROI order (platform — from Vol 12.5)
- Rotate ทุก secret ที่หลุดใน git +
git filter-repo - ลบ backdoor (
i3admin,testnaja,signinbypass) + ปิด@Public()ที่ write/PII - Parameterized SQL ทั้ง injection cluster
- แทนที่
execSyncqpdf (SEC-VTRC-API-01) - SSO redesign (
CORR-SSO-01) - HttpOnly cookie / CSP / DOMPurify ฝั่ง frontend
แผน 90 วันที่แปลง ROI เป็น gate → Chapter 5
What this volume is / is not
| Is | Is not |
|---|---|
| Operational security review for engineers + IR | Penetration-test report with live exploit results |
| Citation-backed from scorecards | Inventory of Medium/Low hygiene (see Vol 17) |
| Bilingual EN+TH for exec + implementers | Replacement for Vol 12 architecture narrative |