Support #11292
[SCP ID :##5587##] : M2U - M2U History - High Risk
Status: | Closed - End of life cycle | Start date: | October 08, 2020 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Zahir Abd Latif | % Done: | 100% | |
Category: | - | Spent time: | - | |
Target version: | - |
Description
Hi,
Kindly attend below request:-
M2U - M2U History - High Risk Finding
Please fix this security-related finding at the soonest,
Vulnerability
Insecure Direct Object Reference (IDOR)
Description
Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks.
Impact
Penetration Tester can see other people's data privacy by simply guessing/changing the parameter value of transactionNumber, after that the person's transaction history data will be downloaded and then displayed in PDF format.
Go to Rekening Transaksi -> Click Customer's Name -> Click Aktifitas M2U -> Click the button Cetak Ulang -> Intercept the request and change the value of transactionNumber.
Recommendation
Enforce access control policies such that users(attacker) cannot act outside of their intended permissions especially for check the backend of parameter transactionNumber. Always check user input, sometimes root of cause of this type of threat. There must be validation performed in server side.
Additional Information :
https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html
Affected target
https://m2u.maybank.co.id/ib102/ib0nlineTransactionHistoryPrint.do?transactionNumber=[value]
History
#1 Updated by Zahir Abd Latif almost 4 years ago
- Status changed from New - Begin Life Cycle to Pending Customer Feedback
- Assignee changed from Rayvandy Gabbytian to Zahir Abd Latif
- % Done changed from 0 to 100
Hazirah, Oct 22, 2020 12:20 PM:-
Hi Bella, Please refer to the result below for these fixes. Before: http://localhost:8080/bii-rib/ib102/ibOnlineTransactionHistoryPrint.do?transactionNumber=20201016000000142441 After: http://localhost:8080/bii-rib/ib102/ibOnlineTransactionHistoryPrint.do?transactionNumber=I7qP3jH4/pORUhSAnlPfUTAdZiKCUFUvpA1/3lRNv5ho5pDvvnqrNoXk4wWcc2Ej Please find below path for the war file. Path: /IBM/SHARE FOLDER/2020/SCPID 5587
Hazirah, Nov 2, 2020 10:28 AM:-
Hi Bella, Kindly refer to attachment for source code review.
#2 Updated by Zahir Abd Latif almost 4 years ago
- Status changed from Pending Customer Feedback to Closed - End of life cycle
Issue closed in SCP.