Skip to main content

Insecure object reference - Personal information

Description

The system allows bypassing authentication mechanisms and modifying other users information by altering the unique identifiers that distinguish each user.

Impact

Modify information of other users.

Recommendation

  • Validate that unprivileged users can only access and modify their own information.
  • Manage user operations using session objects.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

There are no methods in the application that allows an unauthorized user to edit sensitive information

const updateHandler = (req, res) => {
const { username, password } = req.body
if (!username || !isVerifiedUser(req.body.userId, password)) {
res.status(401).end();
return;
}
// Update methods should only update user non-sensitive information
Users.username.description = req.description;
return Users;
}

Non compliant code

The application allows an unauthorized user to edit unique identification

const updateHandler = (req, res) => {
const { username, password } = req.body
if (!username) {
res.status(401).end();
return;
}
// Alter user unique identification
Users.username.userUuid = req.uuid;
return Users;
}

Requirements