Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-98

Web Security : Insufficient Authorization

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: High
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
      None
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Sprint:
      ST Sprint 2

      Description

      Vulnerability Description: The software does not perform or incorrectly performs an authorization check when a user attempts to access sensitive resources.

      Impact:
      Missing or inconsistent authorization controls allow users to access data or perform actions that they should not be allowed to access or execute. This can lead to a wide range of problems, including horizontal and vertical privilege escalation issues.

      Praetorian identified this issue by discovering 1095-C report retrieval endpoints designed to be accessible only to a specific user. The engineer, acting as an unauthenticated user, directly navigated to those endpoints to gain unauthorized access to a user’s 1095-C zip file. This finding is demonstrated in the figure below. Additionally, the naming schemes for these files do not contain enough entropy to prevent successful guessing by an intelligent adversary. The file names are 26 characters long, with the only variation in naming being the time requested and a 4-digit identifier. The time requested could be forced by an adversary (e.g. sending a request link to a user) or predictable (e.g. many employees may request this file during tax season), and the remaining 4 digits could be determined by guessing all possible 4 digit combinations.

      Recommendation
      All sensitive and privileged areas of an application should implement authorization controls to prevent unauthorized access. Developers should neither assume that “hiding” sensitive areas of an application is sufficient in protecting privileged resources nor should they make authorization decisions on parameters with which a malicious user can easily tamper.
      In order to prevent horizontal and vertical privilege escalation, the application should verify the following components when validating a request:
      1 Subject (e.g. user or group)
      2 Action (e.g. CRUD - create, read, update, delete)
      3 Object (e.g. data element - account number, shopping cart ID, etc.)
      Normally, the session management system of the underlying development framework will provide the necessary instrumentation for developing a solid authorization system. Once a user authenticates to a remote application, he or she is typically assigned a session identifier or token that is cryptographically secure with sufficient entropy and length. This session identifier/token is used to authenticate each user request for the duration of the transient session. When making authorization decisions, the application maps the session identifier/token to the user and his/her associated roles and privileges. Correct implementation of these components can successfully prevent both horizontal and vertical privilege escalation attacks throughout the application.

        Attachments

          Activity

          Hide
          vijayendra Vijayendra Shinde (Inactive) added a comment -

          Hi Deepali,

          1. We never upload txt file from Upload PGP key page. We should only allow .asc file from that screen. I am checking that with Export team to remove txt extension from Upload PGP screen.

          2. This is by design,
          You will be only able to upload image from Format Paycheck page when Display Logo flag is set to Yes. Please refer attached snapshot for the same. I am able to upload file on Format paycheck screen so that is not an issue.

          Thanks

          Show
          vijayendra Vijayendra Shinde (Inactive) added a comment - Hi Deepali, 1. We never upload txt file from Upload PGP key page. We should only allow .asc file from that screen. I am checking that with Export team to remove txt extension from Upload PGP screen. 2. This is by design, You will be only able to upload image from Format Paycheck page when Display Logo flag is set to Yes. Please refer attached snapshot for the same. I am able to upload file on Format paycheck screen so that is not an issue. Thanks
          Hide
          deepalit Deepali Tidke (Inactive) added a comment -

          as per the above comments both the points seems to be by design hence it can be moved to stage for current jira

          Show
          deepalit Deepali Tidke (Inactive) added a comment - as per the above comments both the points seems to be by design hence it can be moved to stage for current jira
          Hide
          deepalit Deepali Tidke (Inactive) added a comment -

          as per the attached checked the mentioned pages on stage >> working fine

          Show
          deepalit Deepali Tidke (Inactive) added a comment - as per the attached checked the mentioned pages on stage >> working fine
          Hide
          vijayendra Vijayendra Shinde (Inactive) added a comment -

          Ashwin Wankhede Rohan J Khandave

          Please remember to build export scheduler service during Production build as there are changes in function prototype for export and import.

          Thanks.

          Show
          vijayendra Vijayendra Shinde (Inactive) added a comment - Ashwin Wankhede Rohan J Khandave Please remember to build export scheduler service during Production build as there are changes in function prototype for export and import. Thanks.
          Hide
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Tested the mentioned pages working fine as expected.

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Tested the mentioned pages working fine as expected.

            People

            Assignee:
            venkatesh.pujari Venkatesh Pujari (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Vijayendra Shinde (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Pre-Prod Due Date:
              Production Due Date: