[NF-3852] [Security] All Company - EE Login - Enroll Now - Request parameters values on Enroll Now page get altered and can be saved successfully. - Workterra Jira

Details

Type: Bug
Status: In LB Testing
Priority: High
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: UI Refresh
Labels:
None

Bug Type:
Functional
Bug Severity:
Critical
Level:

Employee
Module:
Platform - Security
Reported by:
Harbinger
Item State:
Development - On Hold
Issue Importance:
Q2

Description

[Security] All Company - EE Login - Enroll Now - Request parameters values on Enroll Now page get altered and can be saved successfully.

Environment : Azure
Login : Employee
Company : Beta Security Test
Employee : Saba Abai / 164215 / Password1@
Tool : ZAP

Replication Steps:
1. Login as Employee
2. Start traversing employee self serve mode through OE/New Hire/Employee Dashboard -> Enroll Now
3. Go to Enroll Now page
4. Go to any plan which is already enrolled or enroll in new plan.
5. Tamper the request parameters like Coverage Amount, Costs for enroll now action.
6. Save the updated values.
7. Verify the Confirmation Statement, Enrollment Summary, Enrollment reports

Real life scenarios those are possible.
1. Employee can increase the Coverage amount keeping the cost (Premium) same.
2. Employee can increase Coverage amount and decrease cost (Premium).
3. Employee can keep same Coverage amount for decreased cost (Premium).

CC : Rakesh Roy Samir Bharti Satpute Vijay Siddha Satya Sachin Hingole Hrishikesh Deshpande Gaurav Sodani Nidhi Kaul shyam sharma

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

EE_EePlanEligibilityRpt.jpg
210 kB
20/Jul/17 05:43 AM
EE_EnrollmentReport.jpg
142 kB
20/Jul/17 05:43 AM
EECoverageAndCost_Intercept.doc
1.06 MB
20/Jul/17 05:43 AM
EnrollNowTamper_After.jpg
118 kB
20/Jul/17 05:43 AM
EnrollNowTamper_Before.jpg
366 kB
20/Jul/17 05:43 AM
EnrollNowTamper_CostChange.jpg
209 kB
20/Jul/17 05:43 AM
Re-Open_EnrollNow.jpg
279 kB
02/Aug/17 07:34 AM

Issue Links

relates to

NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.

To Do

Activity

Ascending order - Click to sort in descending order

Prasad Pise (Inactive) created issue - 20/Jul/17 05:47 AM

Prasad Pise (Inactive) made changes - 20/Jul/17 05:47 AM

Field	Original Value	New Value
Link		This issue relates to NF-2714 [ NF-2714 ]

Vijayendra Shinde (Inactive) made changes - 20/Jul/17 05:51 AM

Assignee

Vijayendra Shinde [ ID10506 ]

Rohan J Khandave [ rohan.khandave ]

Rohan J Khandave (Inactive) made changes - 26/Jul/17 10:01 AM

Status

Open [ 1 ]

In Development [ 10007 ]

Rohan J Khandave (Inactive) made changes - 26/Jul/17 10:01 AM

Item State		Parent values: Development(10200)Level 1 values: In Analysis(10204)
Remaining Estimate		24h [ 86400 ]
Original Estimate		24h [ 86400 ]

Permalink

Rohan J Khandave (Inactive) logged work - 26/Jul/17 03:16 PM

Time Spent:

3h

<No comment>

Rohan J Khandave (Inactive) made changes - 26/Jul/17 03:16 PM

Remaining Estimate	24h [ 86400 ]	21h [ 75600 ]
Time Spent		3h [ 10800 ]
Worklog Id		66661 [ 66661 ]

Permalink

Rohan J Khandave (Inactive) logged work - 27/Jul/17 01:16 PM

Time Spent:

2.5h

<No comment>

Rohan J Khandave (Inactive) made changes - 28/Jul/17 01:16 PM

Remaining Estimate	21h [ 75600 ]	18.5h [ 66600 ]
Time Spent	3h [ 10800 ]	5.5h [ 19800 ]
Worklog Id		67756 [ 67756 ]

Permalink

Rohan J Khandave (Inactive) logged work - 31/Jul/17 07:42 AM

Time Spent:

1.5h

<No comment>

Rohan J Khandave (Inactive) made changes - 31/Jul/17 07:42 AM

Item State

Parent values: Development(10200)Level 1 values: In Analysis(10204)

Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209)

Rohan J Khandave (Inactive) made changes - 31/Jul/17 07:42 AM

Code Review Date		31/Jul/2017
Code Reviewed By		Vijayendra Shinde [ 11901 ]
Developer		Rohan J Khandave [ rohan.khandave ]

Rohan J Khandave (Inactive) made changes - 31/Jul/17 07:43 AM

Remaining Estimate	18.5h [ 66600 ]	17h [ 61200 ]
Time Spent	5.5h [ 19800 ]	7h [ 25200 ]
Worklog Id		68119 [ 68119 ]

Rohan J Khandave (Inactive) made changes - 31/Jul/17 07:45 AM

Status

In Development [ 10007 ]

Local Testing [ 10200 ]

Hide

Permalink

Rohan J Khandave (Inactive) added a comment - 31/Jul/17 07:45 AM

Please check after next azure deployment.

Show

Rohan J Khandave (Inactive) added a comment - 31/Jul/17 07:45 AM Please check after next azure deployment.

Rohan J Khandave (Inactive) made changes - 31/Jul/17 07:45 AM

Assignee

Rohan J Khandave [ rohan.khandave ]

Prasad Pise [ prasadp ]

Permalink

Rohan J Khandave (Inactive) logged work - 31/Jul/17 02:00 PM

Time Spent:

2h

<No comment>

Rohan J Khandave (Inactive) made changes - 31/Jul/17 02:00 PM

Remaining Estimate	17h [ 61200 ]	15h [ 54000 ]
Time Spent	7h [ 25200 ]	9h [ 32400 ]
Worklog Id		68520 [ 68520 ]

Ashwin Wankhede (Inactive) made changes - 01/Aug/17 08:54 AM

Item State

Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209)

Parent values: LB QA(10201)Level 1 values: LB Deployed(11600)

Permalink

Prasad Pise (Inactive) logged work - 01/Aug/17 01:46 PM

Time Spent:

1h

Azure testing

Prasad Pise (Inactive) made changes - 02/Aug/17 07:31 AM

Item State

Parent values: LB QA(10201)Level 1 values: LB Deployed(11600)

Parent values: LB QA(10201)Level 1 values: In Testing(10210)

Prasad Pise (Inactive) made changes - 02/Aug/17 07:31 AM

Item State

Parent values: LB QA(10201)Level 1 values: In Testing(10210)

Parent values: LB QA(10201)Level 1 values: Re-open(10212)

Prasad Pise (Inactive) made changes - 02/Aug/17 07:34 AM

Attachment

Re-Open_EnrollNow.jpg [ 57375 ]

Hide

Permalink

Prasad Pise (Inactive) added a comment - 02/Aug/17 07:34 AM

Hi Rohan J Khandave

I have verified the fix on Azure environment. Although, it shows Forbidden Access for requests, I can still tamper the values successfully. Could you please reconfirm.

PFA screenshot.

Thanks
-Prasad
CC: Rakesh Roy Samir Vijayendra Shinde Sachin Hingole Hrishikesh Deshpande

Show

Prasad Pise (Inactive) added a comment - 02/Aug/17 07:34 AM Hi Rohan J Khandave I have verified the fix on Azure environment. Although, it shows Forbidden Access for requests, I can still tamper the values successfully. Could you please reconfirm. PFA screenshot. Thanks -Prasad CC: Rakesh Roy Samir Vijayendra Shinde Sachin Hingole Hrishikesh Deshpande

Prasad Pise (Inactive) made changes - 02/Aug/17 07:34 AM

Assignee

Prasad Pise [ prasadp ]

Rohan J Khandave [ rohan.khandave ]

Hide

Permalink

Rohan J Khandave (Inactive) added a comment - 02/Aug/17 08:58 AM

Can you please confirm with existing screens of enroll now in stage?

Show

Rohan J Khandave (Inactive) added a comment - 02/Aug/17 08:58 AM Can you please confirm with existing screens of enroll now in stage?

Rohan J Khandave (Inactive) made changes - 02/Aug/17 08:58 AM

Assignee

Rohan J Khandave [ rohan.khandave ]

Prasad Pise [ prasadp ]

Permalink

Prasad Pise (Inactive) logged work - 02/Aug/17 11:04 AM

Time Spent:

1.5h

<No comment>

Prasad Pise (Inactive) made changes - 02/Aug/17 11:04 AM

Remaining Estimate	15h [ 54000 ]	13.5h [ 48600 ]
Time Spent	9h [ 32400 ]	10.5h [ 37800 ]
Worklog Id		68931 [ 68931 ]

Prasad Pise (Inactive) made changes - 02/Aug/17 01:47 PM

Remaining Estimate	13.5h [ 48600 ]	12.5h [ 45000 ]
Time Spent	10.5h [ 37800 ]	11.5h [ 41400 ]
Worklog Id		69034 [ 69034 ]

Permalink

Prasad Pise (Inactive) logged work - 03/Aug/17 12:56 PM

Time Spent:

2h

Stage Verification

Prasad Pise (Inactive) made changes - 03/Aug/17 12:56 PM

Remaining Estimate	12.5h [ 45000 ]	10.5h [ 37800 ]
Time Spent	11.5h [ 41400 ]	13.5h [ 48600 ]
Worklog Id		69222 [ 69222 ]

Hide

Permalink

Prasad Pise (Inactive) added a comment - 04/Jan/18 04:32 AM

Hi Santosh Balid

This issue exist on pre-prod environment. Could you please check.

Show

Prasad Pise (Inactive) added a comment - 04/Jan/18 04:32 AM Hi Santosh Balid This issue exist on pre-prod environment. Could you please check.

Prasad Pise (Inactive) made changes - 04/Jan/18 04:32 AM

Assignee

Prasad Pise [ prasadp ]

Santosh Balid [ santosh.balid ]

Santosh Balid (Inactive) made changes - 16/Jan/18 05:43 AM

Item State

Parent values: LB QA(10201)Level 1 values: Re-open(10212)

Parent values: Development(10200)Level 1 values: On Hold(10207)

Hide

Permalink

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:20 PM

Please plan it in future sprints.

Cc : Satya, Jaideep Vinchurkar, Bharti Satpute

Show

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:20 PM Please plan it in future sprints. Cc : Satya , Jaideep Vinchurkar , Bharti Satpute

Santosh Balid (Inactive) made changes - 16/Jan/18 01:20 PM

Assignee

Santosh Balid [ santosh.balid ]

Gaurav Sodani [ gaurav.sodani ]

Vijayendra Shinde (Inactive) made changes - 15/Dec/20 02:53 AM

Link

This issue relates to DEV-13718 [ DEV-13718 ]

Transition	Time In Source Status	Execution Times

Rohan J Khandave (Inactive) made transition - 26/Jul/17 10:01 AM

Open

In Development

6d 4h 14m

Rohan J Khandave (Inactive) made transition - 31/Jul/17 07:45 AM

In Development

In LB Testing

4d 21h 43m

People

Assignee:: Gaurav Sodani (Inactive)

Reporter:: Prasad Pise (Inactive)

Developer:: Rohan J Khandave (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Jul/17 05:47 AM

Updated:: 15/Dec/20 02:53 AM

Code Review Date:: 31/Jul/2017

Time Tracking

Estimated:

24h

Remaining:

10.5h

Logged:

13.5h