Identity Portal Form Weak Validation Input
search cancel

Identity Portal Form Weak Validation Input


Article ID: 225831


Updated On:


CA Identity Suite



We are using Identity Portal 14.4 on windows with wildfly 15.0.1 and its standalone server.

During the PEN testing, we have found an issue on the FORM. Attributes with the readonly can be modified using the script.

Here is the detailed issue description. Please investigate and let me know the solution.


Weak Input Validation


One or more parameters were identified that had insufficient or incorrect server-side validation.


By supplying invalid or otherwise crafted parameter values, an attacker may be able to perform privileged or unexpected operations on the server that could result in unauthorized access, or sensitive data exposure.


The application prevented users from modifying unintended fields by setting them as read-only in the user interface. However, some of these fields were still submitted as part of a normal workflow and processed by the server.

The first name and last name fields were displayed as read-only.


Updated values were successfully submitted to the server.


The updated values were persisted by the application.



Implement strong server-side validation rules to ensure input data conforms to the expected format, including presence/absence, length, content, and syntax.

Do not rely on client-side scripting components (JavaScript) to perform this validation, as this can be easily bypassed by an attacker, and some users may interact with the application with client-side scripting components disabled. Client-side validation should only be used to enhance the user experience.


OWASP ASVS v4.0: 1.5.3-Input and Output Architecture

OWASP ASVS v4.0: 5.1-Input Validation Requirements



Access Context



HTTP Method


Modify My Vendor User Profile

First Name, Last Name



Release : 14.4

Component : SIGMA-Identity Suite


When using the Secure Connection, nobody can change the request payload in the middle as it is encrypted. So the problem can't occur when using the secure connection.

Otherwise, the vulnerability will be resolved in the next release (IP 14.4.1)

We already introduced the CSRF token in IP 14.4.1 release. If someone gets the Session without a token, then the submitted request will be rejected by the server.

And, if needed, you can still add your own field validation, but:

As the portal contains all customized forms and fields, validating every field may cause performance problems.