Skip to main content

Security controls bypass or absence - Data creation

Description

It is possible to bypass the restriction that only allows the creation of four beneficiaries when generating a policy, allowing the generation of multiple beneficiaries associated to a request, affecting the integrity of the data sent.

Impact

Associate multiple users without restriction.

Recommendation

Validate on the server side the types of data that are entered into different types of fields in the application.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R
  • Score:
    • Base: 4.3
    • Temporal: 4.2
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

All user input is correctly validated before being handled by the application

const addBeneficiaries = (req, res) => {
if (isValidUser(req.body.user) && length(req.body.newBeneficiariesAmount) < 4) {
//Check data on the server side
const beneficiaries = req.body.beneficiaries;
const areBeneficiariesValid = verifyBeneficiaries(beneficiaries);
if areBeneficiariesvalid{
addNewBeneficiaries(beneficiaries);
}
}else{
res.message("Unable to add beneficiaries, verify the limitations and requirements");
}
}

Non compliant code

There is unvalidated/unsanitized input data being handled by the application

const addBeneficiaries = (req, res) => {
if (isValidUser(req.body.user) && length(req.body.newBeneficiariesAmount) < 4) {
//Unchecked server side data added to the user model
const beneficiaries = req.body.beneficiaries;
addNewBeneficiaries(beneficiaries);
}else{
res.message("Unable to add beneficiaries, verify the limitations and requirements");
}
}

Requirements