Bug #68
closedFeature #65: Security Audit
[Security Audit ] 3-Broken Access Control
0%
Description
Broken Access Control
CWE : CWE-425
Description :
The application allows an unauthenticated user to access the pages that should be
accessible to the administrator only. This happens due to the improper implementation
of access controls set by the application.
Affected Path(s) :
https://earogya.satragroup.in/change-password *-Applicable to entire application
Impact :
Attackers acting as users or administrators, or users using privileged functions have the
ability of creating, accessing, updating or deleting every record.
Recommendation :
The default should always be denial.
Everyone should be denied access to everything, and then every specific role can
be explicitly granted access for each function needed.
Log failed attempts to access features to make sure everything is configured
correctly.
Reference:
https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
Evidence/Proof Of Concept :
Step 1: In the application it was observed that certain internal pages were accessible to the
end user with out any authentication.
Files
Updated by Kalyan Battula about 1 year ago
- Subject changed from [Security Audit ] Broken Access Control to [Security Audit ] 3-Broken Access Control
Updated by Kranti Boddu about 1 year ago
- Status changed from New to In Progress
- Assignee set to Kranti Boddu
Updated by Kranti Boddu about 1 year ago
- Status changed from In Progress to Resolved
Updated by Sivakanth Kesiraju about 1 year ago
- Target version set to Sprint 1 (29th April - 3rd May)
Updated by Sivakanth Kesiraju about 1 year ago
- Target version changed from Sprint 1 (29th April - 3rd May) to Security Audit