Skip to main content

Insecure object reference - Data

Description

It is possible to access information about other stores, obtain members registered in other stores, modify members and add members from other stores that a user has not been assigned to just by knowing the identifier that differentiates them, since the application does not validate the necessary permissions to access.

Impact

  • Obtain membership information from other stores.
  • Add members to other stores.
  • Modify partners to other stores.
  • Unsubscribe a partner.

Recommendation

Verify that the user who is trying to access the information has the necessary permissions to do so.

Threat

User authenticated from the Internet.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
  • Score:
    • Base: 6.3
    • Temporal: 6.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application verifies user credentials before accessing sensitive information

const accessStore = (req, res) => {
if (isValidUser(req.body.user)) {
const store = req.body.store;
if storesModel.find(store.id){
const isAccessgranted = verifyUserAccess(store, req.body.id)
if isAccessgranted{
//Code that allows access to the user to edit the store
}
}
}
}

Non compliant code

The application only checks userId before allowing access to sensitive information

const accessStore = (req, res) => {
if (isValidUser(req.body.user)) {
const store = req.body.store;
//Accessing store only with the id number
if storesModel.find(store.id){
//Code that allows access to the user to edit the store
}
}
}

Requirements