Currently, I am facing a security issue with the following scenario:
On the Order List and Order Detail screens, I have implemented permission settings: users from a specific company are only allowed to view orders associated with that company on both the Order List and Order Detail screens. This setup results in the following behavior:
However, when using Burp Suite to test the security, a vulnerability is discovered: TestUser1 can view and edit orders with Company = "CPN B", for example, changing Information1 or Information2.
Since I am not experienced with using Burp Suite and haven't been provided with instructions on how to exploit this vulnerability, I am unsure of the cause or how to fix this issue.
Please provide advice on how to resolve this vulnerability.
well,
maybe you can start by showing what you have implemented to make sure users can't see or edit data of the other company ?
are you using tennants? did you secure the aggregates / server actions /crud actions ?
Dorine
Hi @Dorine Boudry ,
Thank you for your comment.
I retrieve the session information of the logged-in user every time they connect to the screen. Then, I implement security for the aggregates, such as checking the role from the session information during filtering to decide whether the user has the right to view the returned data.
"secure the server actions /crud actions": Do you mean checking the role each time an action is executed?
@NGUYEN DUC THOAN
May be they hacked it by manipulating UserID parameter in request or something.
I have a suggestion for you, add a wrapper for entity update action.
Before calling UpdateEntity, let use GetUserId() and check again to make sure it has permission to update that record.
Hi @Kiet Phan ,
Thank you for your suggestion.
I have implemented role checking whenever data is retrieved to display on the screen or when the user accesses the screen, but I haven't implemented role checking every time CRUD operations are executed.
This might be the gap that led to the issue mentioned.