382 – Insufficient data authenticity validation - Front bypass

Description

The credentials policy present in the system warns that these cannot be consecutive and/or repeated numbers, however this validation is only done in the front end of the application, so it is possible to modify the password from the same request and assign a key that goes against the policies.

Impact

Bypass security policies assigned for user keys.

Recommendation

The key creation policy must be validated on both the front and back ends of the application.

Threat

Attacker without credentials from the Internet.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 122 - Validate credential ownership
• 173 - Discard unsafe inputs
• 178 - Use digital signatures
• 320 - Avoid client-side control enforcement

Fixes

• Csharp
• Php
• Ruby
• Swift

Last updated

2024/02/20