VrandaNagar
commented
7 years ago Hi Mayank, Could you please let me know the xml in which encoding technique used were found. Thanks! Vranda
Open mayank2k2 opened 7 years ago
VrandaNagar
commented
7 years ago Hi Mayank, Could you please let me know the xml in which encoding technique used were found. Thanks! Vranda
mayank2k2
commented
7 years ago i didn't get
VrandaNagar
commented
7 years ago Hi Mayank, In the ticket it is mentioned that some of the XML files with no encoding techniques used were found on the server, so i wanted the file in which the encoding technique were found as a part of analyzing the security issue.
Thanks! Vranda
As a result of testing the OWASP top 10 flaws on URL- http://www.uat.oxfordmaths.co.in today, the application was found to be certainly vulnerable to the following security issues, details of which can be seen below-
Security Testing focal points
1)While doing scanning/spidering of application, some of the XML files with no encoding techniques used were found on the server and one of them exposes sensitive information and can be accessed without proper authorization and authentication, so this leads to sensitive data exposure vulnerability .PFB the screenshot for reference and the steps to reproduce.
Steps to reproduce:
1)Open burp suite and start spider on the Staging URL with OUP admin credential(It can be done using any proxy tool) 2)It provide us the directory listing structure 3)Copy the url of xml file from its request which is http://www.uat.oxfordmaths.co.in/xmlcontent/3/Chapter04/Primary_CC_Grade_03_Chapter_04_Multiplying_by_7_8_and_9_Homework/content.xml 4)Open the url in a browser and add the directory path and hit the url 5)Observe