E-Arogya

18- Application Logic Bypass
CWE : CWE-840
Description :
The application does not perform or incorrectly performs an authorization check when
attempts to perform an action.
Affected Path(s) :
https://earogya.satragroup.in/patient/39/patient-Registration *-Applicable to entire
application
Impact :
An attacker could read sensitive data, either by reading the data directly from a data
store that is not properly restricted, or by accessing insufficiently-protected, privileged
functionality to read the data.
Recommendation :
Make sure that the access control mechanism is enforced correctly at the server side on
every page.
Evidence/Proof Of Concept :
Step 1: Patient registration submitted successfully with wrong DOB as shown in below
screenshot.