Skip to main content

Security controls bypass or absence - Tampering Protection

Description

When adding a new payment, the application validates that an invalid number is not used or that there are no outstanding bills in the system. However, it is possible to modify the response to continue with the process of adding a new payment.

Impact

Elude application validations.

Recommendation

Perform validations on the server during the entire application process.

Threat

Authorized attacker from the Internet.

Expected Remediation Time

⌚ 450 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application securely checks the user credentials before accesing sensitive information

app.post('/user/payment', (req, res) => {
const { username, password, paymentInfo } = req.body;
const user = users.find(u => { return u.username === username && u.password === password });
const validPayInfo = isValidPayment(paymentInfo.number, user.pendingBills);
if (user && validPayInfo) {
//This code should validate the rest of the application process, setting limits for number of tries and verifying user settings
} else {
res.send('Unable to process payment. Try again');
}
});

Non compliant code

There is a functionality on the code that allows the user to bypass the authorization verification

app.post('/user/payment', (req, res) => {
const { username, password, paymentInfo } = req.body;
const user = users.find(u => { return u.username === username && u.password === password });
const validPayInfo = isValidPayment(paymentInfo.number, user.pendingBills);
if (user && validPayInfo) {
//Continue with the process without performing extra validation
} else {
res.send('Unable to process payment. Try again');
}
});

Details

https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering#owasp-masvs

Requirements