Support #11292

[SCP ID :##5587##] : M2U - M2U History - High Risk

Added by Zahir Abd Latif almost 4 years ago. Updated almost 4 years ago.

Status:Closed - End of life cycleStart date:October 08, 2020
Priority:NormalDue date:
Assignee:Zahir Abd Latif% Done:

100%

Category:-Spent time:-
Target version:-

Description

Hi,
Kindly attend below request:-

M2U - M2U History - High Risk Finding

Please fix this security-related finding at the soonest,

Vulnerability
Insecure Direct Object Reference (IDOR)

Description
Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks.

Impact
Penetration Tester can see other people's data privacy by simply guessing/changing the parameter value of transactionNumber, after that the person's transaction history data will be downloaded and then displayed in PDF format.
Go to Rekening Transaksi -> Click Customer's Name -> Click Aktifitas M2U -> Click the button Cetak Ulang -> Intercept the request and change the value of transactionNumber.

Recommendation
Enforce access control policies such that users(attacker) cannot act outside of their intended permissions especially for check the backend of parameter transactionNumber. Always check user input, sometimes root of cause of this type of threat. There must be validation performed in server side.
Additional Information :
https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

Affected target
https://m2u.maybank.co.id/ib102/ib0nlineTransactionHistoryPrint.do?transactionNumber=[value]

History

#1 Updated by Zahir Abd Latif almost 4 years ago

  • Status changed from New - Begin Life Cycle to Pending Customer Feedback
  • Assignee changed from Rayvandy Gabbytian to Zahir Abd Latif
  • % Done changed from 0 to 100

Hazirah, Oct 22, 2020 12:20 PM:-

Hi Bella,

Please refer to the result below for these fixes.

Before: http://localhost:8080/bii-rib/ib102/ibOnlineTransactionHistoryPrint.do?transactionNumber=20201016000000142441
After: http://localhost:8080/bii-rib/ib102/ibOnlineTransactionHistoryPrint.do?transactionNumber=I7qP3jH4/pORUhSAnlPfUTAdZiKCUFUvpA1/3lRNv5ho5pDvvnqrNoXk4wWcc2Ej

Please find below path for the war file.

Path: /IBM/SHARE FOLDER/2020/SCPID 5587

Hazirah, Nov 2, 2020 10:28 AM:-

Hi Bella,

Kindly refer to attachment for source code review.

#2 Updated by Zahir Abd Latif almost 4 years ago

  • Status changed from Pending Customer Feedback to Closed - End of life cycle

Issue closed in SCP.

Also available in: Atom PDF