Bug #70
closedFeature #65: Security Audit
[Security Audit ] 5 -Failed Defences Against Application Misuse
0%
Description
5 -Failed Defences Against Application Misuse
CWE : CWE-841
Description :
The misuse and invalid use of valid functionality can identify attacks attempting to
enumerate the web application, identify weaknesses, and exploit vulnerabilities. Tests
should be undertaken to determine whether there are application-layer defensive
mechanisms in place to protect the application.
Affected Path(s) :
https://earogya.satragroup.in/change-password *-Applicable to entire application
Impact :
The lack of active defences allows an attacker to hunt for vulnerabilities without any
recourse. The application’s owner will thus not know their application is under attack.
Recommendation :
Build inactive defences against application misuse. It is also recommended to implement
strong server side controls in such a way that same request cannot be submitted
multiple times.
Evidence/Proof Of Concept :
Step 1: Login to the application and submit change-password record and sumbit the
record.Again submit the same request multiple times. It was observed that the server accepts
it.
Files
Updated by Vasudev Mamidi 12 months ago
- Assignee changed from Vasu Malladi to Vasudev Mamidi
Updated by Pavan kumar Siddamsetti 12 months ago
- Status changed from New to In Progress
Updated by Vasudev Mamidi 12 months ago
- Status changed from In Progress to Resolved