Identity Portal Form Weak Validation Input
Article ID: 225831
Updated On:
Products
Issue/Introduction
We are using Identity Portal 14.4 on windows with wildfly 15.0.1 and its standalone server.
During the PEN testing, we have found an issue on the FORM. Attributes with the readonly can be modified using the script.
Here is the detailed issue description. Please investigate and let me know the solution.
|
M |
Weak Input Validation |
Observation
One or more parameters were identified that had insufficient or incorrect server-side validation.
Implication
By supplying invalid or otherwise crafted parameter values, an attacker may be able to perform privileged or unexpected operations on the server that could result in unauthorized access, or sensitive data exposure.
Findings
The application prevented users from modifying unintended fields by setting them as read-only in the user interface. However, some of these fields were still submitted as part of a normal workflow and processed by the server.
The first name and last name fields were displayed as read-only.
Updated values were successfully submitted to the server.
The updated values were persisted by the application.
Recommendation
Implement strong server-side validation rules to ensure input data conforms to the expected format, including presence/absence, length, content, and syntax.
Do not rely on client-side scripting components (JavaScript) to perform this validation, as this can be easily bypassed by an attacker, and some users may interact with the application with client-side scripting components disabled. Client-side validation should only be used to enhance the user experience.
References
OWASP ASVS v4.0: 1.5.3-Input and Output Architecture
OWASP ASVS v4.0: 5.1-Input Validation Requirements
Affects
|
Access Context |
Object/Function |
Parameter |
HTTP Method |
|
Authenticated |
Modify My Vendor User Profile |
First Name, Last Name |
POST |
Environment
Release : 14.4
Component : SIGMA-Identity Suite
Resolution
When using the Secure Connection, nobody can change the request payload in the middle as it is encrypted. So the problem can't occur when using the secure connection.
Otherwise, the vulnerability will be resolved in the next release (IP 14.4.1)
We already introduced the CSRF token in IP 14.4.1 release. If someone gets the Session without a token, then the submitted request will be rejected by the server.
And, if needed, you can still add your own field validation, but:
As the portal contains all customized forms and fields, validating every field may cause performance problems.
Feedback
