Task #11404

Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation

Pentest_Web_ADMIN (L10) - Missing Function Level Access Control (MFLAC)

Added by Nurul Athira Abdul Rahim almost 4 years ago. Updated about 3 years ago.

Status:Work Completed-End life cycleStart date:December 01, 2020
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

100%

Category:PentestSpent time:1.00 hour
Target version:-

Description

The web application does not protect functions properly. In some cases, function level protection is managed via configuration, and the system is misconfigured. In others, developers must include the proper code checks, but may potentially overlook it.

When an attacker claims to have a given identity, the application does not prove or insufficiently proves that the identity is correct. Such flaws allow attackers to access unauthorized functionality. Administrative functions are usually key targets for this type of attack.

Solution given :

Verify function level access rights for all requested actions by any user. If the function is involved in a workflow, check to make sure the conditions are in the proper state (maker and approver shall not be the same) to allow approval.

WhatsApp Image 2021-01-21 at 2.45.51 PM.jpeg (57.9 KB) Erni Suhaireen Zulkifli, January 21, 2021 15:03

History

#1 Updated by Najmi Pasarudin almost 4 years ago

  • Assignee changed from Najmi Pasarudin to Nurul Hasnieza Bt Mohd Zamri

#2 Updated by Ngoh Chee Ping almost 4 years ago

  • Status changed from New - Begin Life Cycle to Internal Testing
  • Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
  • % Done changed from 0 to 100

Fixed. Please test it after hasnieza deploy to server.

Root Cause: No permission checking in action class
Solution: Add permission checking in action class.

#3 Updated by Nurul Athira Abdul Rahim almost 4 years ago

  • % Done changed from 100 to 10

#4 Updated by Nurul Athira Abdul Rahim over 3 years ago

  • Assignee changed from Nurul Athira Abdul Rahim to Erni Suhaireen Zulkifli

#5 Updated by Erni Suhaireen Zulkifli over 3 years ago

Hi Hasnieza,

This issue has been tested and passed for Message box.
Error (as per attached file) should display to all module.
Currently, system display logout when user attempt to paste module link using F12 function at browser.

#6 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago

  • Status changed from Development / Work In Progress to Finished Development
  • % Done changed from 10 to 80

#7 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago

  • Status changed from Finished Development to Internal Testing
  • Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Erni Suhaireen Zulkifli

Hi Erni,
done SIT deployment. Kindly retest.

#8 Updated by Erni Suhaireen Zulkifli over 3 years ago

  • Status changed from Internal Testing to Development / Work In Progress
  • Assignee changed from Erni Suhaireen Zulkifli to Nurul Hasnieza Bt Mohd Zamri
  • % Done changed from 80 to 90

Hi Hasnieza,

System display invalid error for below module:
1. Generate Pin
2. Pending
3. Approval
4. Mobile BSNeBiz
5. Mobile Version

Please deploy the fixes done and get back to me for retest.

TQ

#9 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago

  • Status changed from Development / Work In Progress to Internal Testing
  • Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Erni Suhaireen Zulkifli

Erni,
done deployment at SIT. Kindly retest.

#10 Updated by Erni Suhaireen Zulkifli over 3 years ago

  • Status changed from Internal Testing to Development / Work In Progress
  • Assignee changed from Erni Suhaireen Zulkifli to Nurul Hasnieza Bt Mohd Zamri
  • % Done changed from 90 to 80

Hi Hasnieza,

All issue raised has been tested and pass.

Except for Approval module has been tested and failed at web using pointing (https://10.10.95.121/bsn-admin-sit/common/Login.do). However, this module successfully display a valid error when tested at app using pointing (http://10.10.10.95:9080/bsn-admin-sit/common/Login.do)

Kindly investigate and deploy the fixes for me to proceed with testing at web (121).

#11 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago

  • Status changed from Development / Work In Progress to Internal Testing
  • Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Erni Suhaireen Zulkifli

Finding: currently approval share same jsp file with pending.
solution: separate the jsp file with the same contents.

Hi Erni, kindly retest.

#12 Updated by Erni Suhaireen Zulkifli over 3 years ago

  • Status changed from Internal Testing to System Integration Test
  • Assignee changed from Erni Suhaireen Zulkifli to Nurul Athira Abdul Rahim
  • % Done changed from 80 to 100

Tested and passed

#13 Updated by Nurul Athira Abdul Rahim about 3 years ago

  • Status changed from System Integration Test to Work Completed-End life cycle

Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report

Also available in: Atom PDF