Security Testing focal points
1) While analyzing some part of the business logic, it was found that if an adversary captured the print welcome letter request through any web proxy tool using admin account ,that request would contain a parameter "userId%5B%5D" , which was found to be vulnerable to Insecure direct object reference vulnerability from OWASP top 10 list. It further means, an admin can generate the offer letter for students and teachers of other schools, respectively just by enumerating the user id to a valid value, such as 4753,4754 etc.
Furthermore, an adversary(admin) can also leverage this vulnerability to hijack into other users account( teachers and students) with the help of the credential mentioned on the offer letter. It can be used to login or change the password of a user(student/teacher) account .However, as per the business logic only OUPadmin has the privilege to view/change/modify data of other schools which in turn includes the users also- students/admin/teachers.
PFB the screencast for reference and steps to reproduce .
Screencast for reference:https://www.screencast.com/t/296Ej9he
Steps to reproduce:
a)Login through OUP test school admin account
b)Go to Utilities and search for student/Teacher record
c)Click on print welcome letter and capture that request using burp
d)Change the value of "userId%5B%5D" to 4753 ,4754,481 or any random value
e)Open the offer letter it will contain the username of student cognizant who belongs to cognizant school and login in to the user account
mayank2k2
commented
7 years ago
Security Testing focal points 1) While analyzing some part of the business logic, it was found that if an adversary captured the print welcome letter request through any web proxy tool using admin account ,that request would contain a parameter "userId%5B%5D" , which was found to be vulnerable to Insecure direct object reference vulnerability from OWASP top 10 list. It further means, an admin can generate the offer letter for students and teachers of other schools, respectively just by enumerating the user id to a valid value, such as 4753,4754 etc. Furthermore, an adversary(admin) can also leverage this vulnerability to hijack into other users account( teachers and students) with the help of the credential mentioned on the offer letter. It can be used to login or change the password of a user(student/teacher) account .However, as per the business logic only OUPadmin has the privilege to view/change/modify data of other schools which in turn includes the users also- students/admin/teachers. PFB the screencast for reference and steps to reproduce . Screencast for reference:https://www.screencast.com/t/296Ej9he Steps to reproduce: a)Login through OUP test school admin account b)Go to Utilities and search for student/Teacher record c)Click on print welcome letter and capture that request using burp d)Change the value of "userId%5B%5D" to 4753 ,4754,481 or any random value e)Open the offer letter it will contain the username of student cognizant who belongs to cognizant school and login in to the user account