Task #11400
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_ADMIN (H3) - Lack of Secure Authentication Mechanism
| Status: | Work Completed-End life cycle | Start date: | December 01, 2020 | |
|---|---|---|---|---|
| Priority: | High | Due date: | December 08, 2020 | |
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Pentest | Spent time: | 2.00 hours | |
| Target version: | - |
Description
During the time of assessment, LGMS security team observed that the application did not implement a secure authentication mechanism. An unauthenticated user can directly access sensitive information without logging in to the application.
Given solution :
The application shall authenticate users before allowing them to access sensitive information within the application. If the request is made by an unauthenticated user, the application shall reject the request and require the user to login first prior granting access. Note that the authentication mechanism shall be implemented on every web service access to ensure authenticity of each access is verified.
History
#1
Updated by Najmi Pasarudin almost 4 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
- % Done changed from 0 to 90
#3
Updated by Najmi Pasarudin almost 4 years ago
- Status changed from Development / Work In Progress to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Test case:
1. Access IBAM>CBE>BSNeBiz Report
2. Get URL from download button
3. Copy URL to new browser tab
4. Expected result, cannot download file from new tab
#4
Updated by Nurul Athira Abdul Rahim almost 4 years ago
- File H3 - 1.jpg added
- File H3 - 2.jpg added
- File H3 - 3.jpg added
- Due date set to December 08, 2020
- Status changed from Internal Testing to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Ngoh Chee Ping
Hi Chee Ping, kindly check on this issue.
Testing scenario :
1. Access to IBAM > Report
2. Select one report and copy the link.
3. Open new tab
4. Paste the link and search
Result : System allow to download report
Expected : Cannot download report.
I have shared the Pentest Finding document on email, kindly refer for Admin-High issue no 3.
#5
Updated by Ngoh Chee Ping almost 4 years ago
- Assignee changed from Ngoh Chee Ping to Nurul Hasnieza Bt Mohd Zamri
Fixed, please pull ibam and help to deploy to SIT for internal testing.
#6
Updated by Nurul Hasnieza Bt Mohd Zamri almost 4 years ago
- Status changed from Development / Work In Progress to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
Done SIT deployment. Kindly retest.
#7
Updated by Nurul Athira Abdul Rahim almost 4 years ago
- File BBE report 1.jpg added
- File BBE report 2.jpg added
- File CBE report 1.jpg added
- File CBE report 2.jpg added
- Status changed from Internal Testing to Work Completed-End life cycle
- % Done changed from 90 to 100
Tested and passed.
Result :
1. User able to download report in same browser. Because sharing session. (Tab and window)
2. User unable to download report in diff browser. (success)
#8
Updated by Nurul Athira Abdul Rahim over 3 years ago
- Status changed from Work Completed-End life cycle to System Integration Test
#9
Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from System Integration Test to Work Completed-End life cycle
Pending for 2nd scanning report