Identity Portal Form Weak Validation Input

book

Article ID: 225831

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

 

We are using Identity Portal 14.4 on windows with wildfly 15.0.1 and its standalone server.

During the PEN testing, we have found an issue on the FORM. Attributes with the readonly can be modified using the script.

Here is the detailed issue description. Please investigate and let me know the solution.

M

Weak Input Validation

Observation

One or more parameters were identified that had insufficient or incorrect server-side validation.

Implication

By supplying invalid or otherwise crafted parameter values, an attacker may be able to perform privileged or unexpected operations on the server that could result in unauthorized access, or sensitive data exposure.

Findings

The application prevented users from modifying unintended fields by setting them as read-only in the user interface. However, some of these fields were still submitted as part of a normal workflow and processed by the server.

The first name and last name fields were displayed as read-only.

 

Updated values were successfully submitted to the server.

 

The updated values were persisted by the application.

 

Recommendation

Implement strong server-side validation rules to ensure input data conforms to the expected format, including presence/absence, length, content, and syntax.

Do not rely on client-side scripting components (JavaScript) to perform this validation, as this can be easily bypassed by an attacker, and some users may interact with the application with client-side scripting components disabled. Client-side validation should only be used to enhance the user experience.

References

OWASP ASVS v4.0: 1.5.3-Input and Output Architecture

OWASP ASVS v4.0: 5.1-Input Validation Requirements

 

Affects

Access Context

Object/Function

Parameter

HTTP Method

Authenticated

Modify My Vendor User Profile

First Name, Last Name

POST

Environment

Release : 14.4

Component : SIGMA-Identity Suite

Resolution

When using the Secure Connection, nobody can change the request payload in the middle as it is encrypted. So the problem can't occur when using the secure connection.

Otherwise, the vulnerability will be resolved in the next release (IP 14.4.1)

We already introduced the CSRF token in IP 14.4.1 release. If someone gets the Session without a token, then the submitted request will be rejected by the server.

And, if needed, you can still add your own field validation, but:

As the portal contains all customized forms and fields, validating every field may cause performance problems.