E-Arogya

Client side bypass / Improper server side validation
CWE : CWE-602
Description :
The software is composed of a server that relies on the client to implement a mechanism
that is intended to protect the server.
Affected Path(s) :
https://his-user-management-service.satragroup.in/master/user-profile *-Applicable to
entire application
Impact :
When the server relies on protection mechanisms placed on the client side, an attacker
can modify the client-side behavior to bypass the protection mechanisms resulting in
potentially unexpected interactions between the client and server. The consequences will
vary, depending on what the mechanisms are trying to protect.
Evidence/Proof Of Concept :
Step 1: Login to the application with test1_fd credentials and navigate to the users under the
Masterdata dropdown.Here service entity is disable as shown in below screenshot.

Step 2: Capture the above request and modify the value as depicted in the screenshot below.
Observe Resource has been created successfully.

Recommendation :
It is recommended to validate the user input at server side. It is recommended to enforce
an application URL space white list and implement proper access control.