Task #11401
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_ADMIN (M2) - Insecure Direct Object Reference (IDOR)
| Status: | Work Completed-End life cycle | Start date: | December 01, 2020 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Pentest | Spent time: | - | |
| Target version: | - |
Description
Insecure direct object reference occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure direct object reference allows attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
Solution Given :
Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):
1. Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server.
2. Check access for each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
History
#1
Updated by Nurul Athira Abdul Rahim almost 4 years ago
- Description updated (diff)
- % Done changed from 40 to 0
#2
Updated by Najmi Pasarudin almost 4 years ago
- Assignee changed from Najmi Pasarudin to Nurul Hasnieza Bt Mohd Zamri
#3
Updated by Ngoh Chee Ping over 3 years ago
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Lai Wen Hong
#4
Updated by Lai Wen Hong over 3 years ago
- % Done changed from 0 to 100
#5
Updated by Lai Wen Hong over 3 years ago
- Status changed from New - Begin Life Cycle to Code Review
- Assignee changed from Lai Wen Hong to Najmi Pasarudin
#6
Updated by Ngoh Chee Ping over 3 years ago
- Status changed from Code Review to Development / Work In Progress
- Assignee changed from Najmi Pasarudin to Lai Wen Hong
- % Done changed from 100 to 50
After the code, found something not right. Please fix it and assign back to me later.
#7
Updated by Lai Wen Hong over 3 years ago
- Status changed from Development / Work In Progress to Code Review
- Assignee changed from Lai Wen Hong to Ngoh Chee Ping
- % Done changed from 50 to 100
#8
Updated by Ngoh Chee Ping over 3 years ago
- Assignee changed from Ngoh Chee Ping to Lai Wen Hong
- % Done changed from 100 to 80
Checked the code, still got something not right, already told you in whatsapp, please update accordingly.
#9
Updated by Lai Wen Hong over 3 years ago
- Assignee changed from Lai Wen Hong to Ngoh Chee Ping
- % Done changed from 80 to 100
#10
Updated by Ngoh Chee Ping over 3 years ago
- Status changed from Code Review to Pending SIT Deployment
- Assignee changed from Ngoh Chee Ping to Nurul Hasnieza Bt Mohd Zamri
Checked no issue, please help to deploy for internal testing.
#11
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from Pending SIT Deployment to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
Done SIT deployment. Kindly retest.
#12
Updated by Erni Suhaireen Zulkifli over 3 years ago
- File PentestM2_Issue 1.jpg added
- File PentestM2_Issue 2,3.jpg added
- Status changed from Internal Testing to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Lai Wen Hong
All issue has been tested and passed. However please help to display meaningful error instead of error while performing your request.
Issue:
1. LGMS security team changed number in the parameter "key" and is able to view and edit some other password policy which is not selectable from the user interface.
Test Step:
1. Login IBAM>BBE>Password Policy
2. F12>Change upassMaintenanceConfirm.do?key="value"
3. Current Result: System display page error while performing your request
Expected Result: Should display meaningful error (Eg: Unable to access other user password policy)
Issue:
2. The module "Sent Item Notification" is also vulnerable to IDOR and attacker is able to view messages sent to other recipient.
3. The parameter mailId is changed from 288 to 1.
Test Step:
1. Login IBAM>Message Box
2. Go to Send Item Notification
3. F12 at the selected send item subject and change the mailIndex="value" to be 0 or any value larger than the total send item user have in his/her send item
3. Current Result: System display page error while performing your request
Expected Result: Should display meaningful error (Eg: Unable to access other user send item details)
#13
Updated by Lai Wen Hong over 3 years ago
- Status changed from Development / Work In Progress to Pending SIT Deployment
- Assignee changed from Lai Wen Hong to Erni Suhaireen Zulkifli
"Displaying meaningful error instead of error while performing user's request" had been done.
Please help to retest after deploying by Najmi or Hasnieasa.
#14
Updated by Erni Suhaireen Zulkifli over 3 years ago
- Assignee changed from Erni Suhaireen Zulkifli to Nurul Hasnieza Bt Mohd Zamri
Please help to deploy these fixes and get back to me for testing
#15
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from Pending SIT Deployment to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Erni Suhaireen Zulkifli
Hi Erni,
done deployment at SIT. Kindly retest.
#16
Updated by Erni Suhaireen Zulkifli over 3 years ago
- File PentestM2_Issue 1 fixed.jpg added
- File PentestM2_Issue 2,3 fixed.jpg added
- Status changed from Internal Testing to System Integration Test
- Assignee changed from Erni Suhaireen Zulkifli to Nurul Athira Abdul Rahim
Tested and passed
#17
Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from System Integration Test to Work Completed-End life cycle
Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report