Skip to main content

Insecure object reference - Corporate information

Description

It is possible to include or modify employee information of third party companies by uploading an excel file and changing the payrollNumber. An attacker can initiate a request to upload an excel file containing information on existing or non-existent employees and change the company identifier (payrollnumber) to one to which he does not have access. In this way the information sent is stored in the third party company, associating new employees or updating the information of those that already existed.

Impact

  • Start a file upload process.
  • Change the payrollNumber to not own.
  • Upload or modify information to a third party company.

Recommendation

Verify that the user who is trying to modify the information has the necessary permissions to access.

Threat

Unauthorized user with access to corporate information.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: H
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 6.5
    • Temporal: 6.5
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application allows access to sensitive information only to authorized users

const updateFiles = (req, res) => {
const { username, password } = req.body
if (!isValidUser(username, password)) {
res.status(401).end();
return;
}
// Grant Access without checking privileges
const userCredentials = getCredentials(username);
if(userCredentials == "admin"){
const accessToken = connectToDataBase(username);
return accessToken;
}
}

Non compliant code

The application grants access to sensitive information without verifying authorization credentials

const updateFiles = (req, res) => {
const { username, password } = req.body
if (!isValidUser(username, password)) {
res.status(401).end();
return;
}
// Grant Access without checking privileges
const accessToken = connectToDataBase(username);
return accessToken;
}

Requirements