WORKTERRAProject Type: software

WORKTERRA

Uploaded image for project: 'WORKTERRA'
  1. WORKTERRA
  2. WT-5688

[Secure Test] Request Details of Get URL for viewing Benefit Descriptions are having parameters as plain text and using same URL plan descriptions can be accessed across company.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      Production
    • Module:
      BenAdmin - Security
    • Reported by:
      Harbinger
    • Item State:
      Production QA

      Description

      [Secure Test] Request Details of Get URL for viewing Benefit Descriptions are having parameters as plain text and using same URL plan descriptions can be accessed across company.

      Start Tamper Data plugin for viewing Request Details.

      1. Login as Admin to Company 2.
      2. Login as Employee to Company 1
      3. Traverse Employee Self Serve mode to Enroll now plans like Medical,Dental,Vision etc.
      4. Click on Benefit Description
      5. Go to Tamper Data and check for the Request Details. Refer Screen Shots for details.
      6. Copy the URL and paste it in the Admin user's session of company 2
      7. Using same URL plan descriptions can be accessed across company.

      Refer screenshots for details

        Attachments

          Activity

          Descending order - Click to sort in ascending order
          Hide
          Permalink
          priya.dhamande Priya Dhamande (Inactive) added a comment -

          Environment: Production
          Company: El Camino Hospital For HSPL
          Login: Employee and Partner

          The patch is tested for Benefit description functionality on Production.

          Steps:
          1. Benefit Description Added for Medical plans.
          2. Benefit Type > Marked the check box for Benefit Description drop down.
          3. Add/Change Plan Design > Employees must view Benefit Description dropdown > Yes > Save
          4. Employee Login > Enroll Now Page > Medical Plan must have Benefit Description OR
          Partner login> Serach Employee > Benefits > Enroll now > Benefit Description
          5. Benefit Description Button > Benefit Description popup > Doc opens

          As mentioned during Stage Testing, the link appears for fraction of sec. so not able to copy the link and check with other company Admin.
          For the functionality of Benefit Description functionality it is working as expected on production. So, closing the jira on production.

          Show
          priya.dhamande Priya Dhamande (Inactive) added a comment - Environment: Production Company: El Camino Hospital For HSPL Login: Employee and Partner The patch is tested for Benefit description functionality on Production. Steps: 1. Benefit Description Added for Medical plans. 2. Benefit Type > Marked the check box for Benefit Description drop down. 3. Add/Change Plan Design > Employees must view Benefit Description dropdown > Yes > Save 4. Employee Login > Enroll Now Page > Medical Plan must have Benefit Description OR Partner login> Serach Employee > Benefits > Enroll now > Benefit Description 5. Benefit Description Button > Benefit Description popup > Doc opens As mentioned during Stage Testing, the link appears for fraction of sec. so not able to copy the link and check with other company Admin. For the functionality of Benefit Description functionality it is working as expected on production. So, closing the jira on production.
          Hide
          Permalink
          prasadp Prasad Pise (Inactive) added a comment -

          Hi Vijayendra Shinde
          Security Testing completed on Production for this issue.
          Thanks
          -Prasad
          CC : SamirVijay SiddhaRakesh Roy

          Show
          prasadp Prasad Pise (Inactive) added a comment - Hi Vijayendra Shinde Security Testing completed on Production for this issue. Thanks -Prasad CC : Samir Vijay Siddha Rakesh Roy
          Hide
          Permalink
          priya.dhamande Priya Dhamande (Inactive) added a comment - - edited

          Environment: Stage
          Company: ASML for Hspl

          The patch is tested for Benefit description functionality on Stage.

          Steps:
          1. Benefit Description Added for Medical and Dental plans.
          2. Benefit Type > Marked the check box for Benefit description drop down.
          3. Add/Change Plan Design > Employees must view Benefit Description dropdown > Yes > Save
          4., Employee Login > Enroll Now Page > Medical Plan must have Benefit description
          5. Benefit Description Button > Benefit Description popup > Doc should open

          As the link appears for fraction of sec. so not able to copy the link and check with other company Admin.
          For the functionality of Benefit Description functionality it is working as expected. So, moving the jira on further step.

          Prasad Pise: Assigning the jira to you for Production security testing.

          Show
          priya.dhamande Priya Dhamande (Inactive) added a comment - - edited Environment: Stage Company: ASML for Hspl The patch is tested for Benefit description functionality on Stage. Steps: 1. Benefit Description Added for Medical and Dental plans. 2. Benefit Type > Marked the check box for Benefit description drop down. 3. Add/Change Plan Design > Employees must view Benefit Description dropdown > Yes > Save 4., Employee Login > Enroll Now Page > Medical Plan must have Benefit description 5. Benefit Description Button > Benefit Description popup > Doc should open As the link appears for fraction of sec. so not able to copy the link and check with other company Admin. For the functionality of Benefit Description functionality it is working as expected. So, moving the jira on further step. Prasad Pise : Assigning the jira to you for Production security testing.
          Hide
          Permalink
          prasadp Prasad Pise (Inactive) added a comment -

          As mentioned above, assigned ticket to Rakesh Roy for functional testing.

          Show
          prasadp Prasad Pise (Inactive) added a comment - As mentioned above, assigned ticket to Rakesh Roy for functional testing.
          Hide
          Permalink
          prasadp Prasad Pise (Inactive) added a comment -

          HI Vijayendra Shinde

          Issue verified on Stage after patch deployment. I tried by removing the value of parameter "encryptedCompanyID" and hit Enter key. No Plan details displayed.
          User is asked to click on "Return to home page" button.

          Thanks

          • Prasad

          CC: SamirVijay SiddhaRakesh Roy

          Show
          prasadp Prasad Pise (Inactive) added a comment - HI Vijayendra Shinde Issue verified on Stage after patch deployment. I tried by removing the value of parameter "encryptedCompanyID" and hit Enter key. No Plan details displayed. User is asked to click on "Return to home page" button. Thanks Prasad CC: Samir Vijay Siddha Rakesh Roy
          6 older comments

            People

            Assignee:
            rakeshr Rakesh Roy (Inactive)
            Reporter:
            prasadp Prasad Pise (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: