Task #12577

Task #12556: Pentest - 2nd Assessment [2021]

Pentest_CDB - Insecure Direct Object Reference (IDOR) [MED]

Added by Nurul Athira Abdul Rahim almost 3 years ago. Updated 7 months ago.

Status:Closed - End of life cycleStart date:November 08, 2021
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

100%

Category:Penetration Test IssueSpent time:-
Target version:-

Description

Insecure direct object reference occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure direct object reference allows attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Solution provided by LGMS :

Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):

1. Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server.

2. Check access for each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

'Affected Modules and URL:

[Account Details]
[GET]
https://10.10.55.34:9444/bsn-cdb-uat/ib102_ibAccountInfo?accountNo=[accountnumber]&accountType=41&accountBranch=&nId=[nid]&struts.token.name=token&token=[token]

[Balance Inquiry]
[GET]
https://10.10.55.34:9444/bsn-cdb-uat/ib102_ibBalanceSummary?date=today&accountType=41&accountNo=[accountnumber]&accountBranch=&quicklink=history&nId=[nid]&struts.token.name=token&token=[token]

[BSNeBiz History]
[GET]
https://10.10.55.34:9444/bsn-cdb-uat/ib102_ibOnlineHistory?date=today&accountType=41&accountNo=[accountnumber]&accountBranch=&quicklink=inetHistory&nId=[nid]&struts.token.name=token&token=[token]
[POST]
https://10.10.55.34:9444/bsn-cdb-uat/ib102_ibOnlineHistory.action
Parameter: accountNo

2021 BSN CDB Front End Portal Web Application Penetration Test Quick Results-v1.0.xlsx (4.57 MB) Nurul Athira Abdul Rahim, November 08, 2021 17:19

accNo Original.JPG (29 KB) Nurul Hasnieza Bt Mohd Zamri, December 17, 2021 15:11

Invalid accNo.JPG (28 KB) Nurul Hasnieza Bt Mohd Zamri, December 17, 2021 15:11

Error Message.JPG (85.4 KB) Nurul Hasnieza Bt Mohd Zamri, December 17, 2021 15:11

History

#1 Updated by Nurul Hasnieza Bt Mohd Zamri almost 3 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress

#2 Updated by Nurul Hasnieza Bt Mohd Zamri almost 3 years ago

  • Status changed from Development / Work In Progress to Finished Development
  • % Done changed from 0 to 80

Add validation check insert other account number with user account number.

#3 Updated by Nurul Hasnieza Bt Mohd Zamri almost 3 years ago

  • Status changed from Finished Development to Internal Testing
  • Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim

SIT has been deployed. Kindly retest.

Replace url accountNo parameter with invalid account number. Will prompt invalid account number error message.

#4 Updated by Nurul Athira Abdul Rahim almost 3 years ago

  • Status changed from Internal Testing to System Integration Test
  • % Done changed from 80 to 90

SIT to verify

#6 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from System Integration Test to Pending Prod Deployment
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

#7 Updated by Nurul Athira Abdul Rahim over 2 years ago

  • Status changed from Pending Prod Deployment to Development / Work In Progress

'Solved
bootstrap 4.1.1

Not Solved
ckeditor 4.16.0
iText 2.1.7
JasperReports 6.6.0

Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".

#8 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from Development / Work In Progress to System Integration Test
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim

LGMS marked as solved

#9 Updated by Nurul Athira Abdul Rahim 7 months ago

  • % Done changed from 90 to 100

Closed for this and refer new 2023/2024 pentest report

#10 Updated by Nurul Athira Abdul Rahim 7 months ago

  • Status changed from System Integration Test to Closed - End of life cycle

Also available in: Atom PDF