E-Arogya

19- Client side bypass / Improper server side validation
CWE : CWE-602
Description :
The software is composed of a server that relies on the client to implement a mechanism
that is intended to protect the server.
Affected Path(s) :
https://earogya.satragroup.in/configuration/all_master https://his-core-domainservice.satragroup.in/department-master *-Applicable to entire application
Impact :
When the server relies on protection mechanisms placed on the client side, an attacker
can modify the client-side behavior to bypass the protection mechanisms resulting in
potentially unexpected interactions between the client and server. The consequences will
vary, depending on what the mechanisms are trying to protect.
Recommendation :
It is recommended to validate the user input at server side. It is recommended to enforce
an application URL space white list and implement proper access control.
Evidence/Proof Of Concept :
Step 1: Login to the application with test2_fd credentials and navigate to the Department tab
under the Masterdata dropdown. Observe that there are only options for "Yes" or "No" as
shown in the screenshot below.

Step 2: Capture the above request and modify the value as depicted in the screenshot below.
Observe Response Resource has been created successfully.