-
Type:
Bug
-
Status: In LB Testing
-
Priority:
High
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: UI Refresh
-
Labels:None
-
Bug Type:Functional
-
Bug Severity:Critical
-
Level:Employee
-
Module:Platform - Security
-
Reported by:Harbinger
-
Item State:Development - On Hold
-
Issue Importance:Q2
[Security] All Company - EE Login - Enroll Now - Request parameters values on Enroll Now page get altered and can be saved successfully.
Environment : Azure
Login : Employee
Company : Beta Security Test
Employee : Saba Abai / 164215 / Password1@
Tool : ZAP
Replication Steps:
1. Login as Employee
2. Start traversing employee self serve mode through OE/New Hire/Employee Dashboard -> Enroll Now
3. Go to Enroll Now page
4. Go to any plan which is already enrolled or enroll in new plan.
5. Tamper the request parameters like Coverage Amount, Costs for enroll now action.
6. Save the updated values.
7. Verify the Confirmation Statement, Enrollment Summary, Enrollment reports
Real life scenarios those are possible.
1. Employee can increase the Coverage amount keeping the cost (Premium) same.
2. Employee can increase Coverage amount and decrease cost (Premium).
3. Employee can keep same Coverage amount for decreased cost (Premium).
CC : Rakesh RoySamirBharti SatputeVijay SiddhaSatyaSachin HingoleHrishikesh DeshpandeGaurav SodaniNidhi Kaulshyam sharma
- relates to
-
NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.
-
- To Do
-
I have verified the fix on Azure environment. Although, it shows Forbidden Access for requests, I can still tamper the values successfully. Could you please reconfirm.
PFA screenshot.
Thanks
-Prasad
CC: Rakesh RoySamirVijayendra ShindeSachin HingoleHrishikesh Deshpande 
Can you please confirm with existing screens of enroll now in stage?
This issue exist on pre-prod environment. Could you please check.
Please plan it in future sprints.
Please check after next azure deployment.