Bug #12617: [BIF-45172] Restrictions on what authenticated users are allowed to do are often properly enforced - BIFAST User Acceptance Testing (UAT) - Penril Support System

Bug #12617

[BIF-45172] Restrictions on what authenticated users are allowed to do are often properly enforced

Added by Siti Norahayu Mohd Desa almost 3 years ago. Updated almost 3 years ago.

Status:

Work Completed-End life cycle

Start date:

November 23, 2021

Priority:

Normal

Due date:

November 23, 2021

Assignee:

Siti Norahayu Mohd Desa

% Done:

100%

Category:

Spent time:

Target version:

Description

A5:2017-Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

1. Lakukan pemindaian untuk mengidentifikasi setiap Input yang dapat didefinisikan oleh pengguna. Dalam hal ini, Input dapat berupa query parameter pada URL atau textbox yang ditampilkan pada halaman Aplikasi. Tools yang dapat digunakan untuk proses pemindaian adalah Zed Attack Proxy (ZAP), Burp Suite, dan lain-lain.

2. Lakukan percobaan entri data berupa script, seperti misalnya:
i. "><script>alert(document.cookie)</script>
ii. <script>alert(document.cookie)</script>

Rekomendasi :
Pastikan bahwa script dari yang diinputkan oleh pengguna tidak dieksekusi oleh Aplikasi.

BIF-45172(1).jpg (23 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(2).jpg (220 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(3).jpg (54.6 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(4).jpg (114 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(5).jpg (199 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(6).jpg (185 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(7).jpg (225 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(8).jpg (176 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(9).jpg (195 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

BIF-45172(10).jpg (187 KB) Siti Norahayu Mohd Desa , November 23, 2021 11:54

History

#1 Updated by Ngoh Chee Ping almost 3 years ago

Status changed from New - Begin Life Cycle to Pending Customer Feedback
Assignee changed from Ngoh Chee Ping to Siti Norahayu Mohd Desa

Based on what i check, the user used to login have the create user access, even change the action url to create user confirm and then create user result sure able to perform the creation. What the javascript did only skip the steps click on the screen. It is the same like clicking the button on the screen to perform the creation.

Therefore, this should not be an issue.

#2 Updated by Siti Norahayu Mohd Desa almost 3 years ago

Send for user verification.

#3 Updated by Siti Norahayu Mohd Desa almost 3 years ago

Status changed from Pending Customer Feedback to Work Completed-End life cycle
% Done changed from 0 to 100

Issue have been closed by Pandu on 26 Noc 2021

Also available in: Atom PDF

A- Active Projects » BI FAST » BIFAST User Acceptance Testing (UAT)