[go: up one dir, main page]
Scribd
Upload
12 views5 pages

SAMI Report

The report identifies a medium risk vulnerability related to Insecure Direct Object Reference (IDOR) in the Sami web application, allowing unauthorized access to sensitive data. The findings recommend enforcing proper access controls, using indirect references, and validating redirect URLs to mitigate risks. Tools used for the assessment include Burp Suite, Nikto, and Nmap.

Uploaded by

rockyyyy884
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
12 views5 pages

SAMI Report

The report identifies a medium risk vulnerability related to Insecure Direct Object Reference (IDOR) in the Sami web application, allowing unauthorized access to sensitive data. The findings recommend enforcing proper access controls, using indirect references, and validating redirect URLs to mitigate risks. Tools used for the assessment include Burp Suite, Nikto, and Nmap.

Uploaded by

rockyyyy884
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

REPORT

OF
SAMI

PREPARED BY :

POONAM
Scope:
Organization Sami
Application Web Application
Asset URL http://103.171.45.88:8080/#/admin/
homedashboard

Summary of Findings:
Risk Level High Risk Medium Risk Low Risk Information
Risk
No. Of 0 1 0 0
Vulnerabilities

Tools/Software Used:

S. No. Tool Name Version


1 Burp Suite v2024.10.3
2 Linux
3 Nikto v2.5
4 Nmap v7.95
5

Findings:
Finding Vulnerable url Vulnerability title Severity Status
No.
1 http://1 Insecure Direct Object Reference Medium Open
(IDOR)
Detailed Observation

Insecure Direct Object Reference (IDOR):


Issue severity: Medium

Description: Insecure Direct Object References (IDOR) occur when an application


exposes internal objects (like files or database records) via user-controlled inputs, such as
URLs or parameters, without proper authorization checks. This allows attackers to
manipulate inputs and access unauthorized resources, potentially leading to data
breaches or unauthorized actions.

Steps to Reproduce:
1. Navigate to http://103.171.45.88:8080/.

2. Attempt to add some random keyword for redirect to another


page.
3. I got URL:
http://103.171.45.88:8080/#/admin/homedashboard
That is redirect to another page without proper authentication.
Impact:
1. Unauthorized Data Access: Attackers can access sensitive information like
personal data, financial records, or confidential files.
2. Data Manipulation: Attackers may modify, delete, or steal data.
3. Privilege Escalation: Exploiting IDOR can grant attackers higher access levels.

Recommendation:
Enforce proper access controls: Ensure that the server-side checks verify
whether the user has the necessary permissions to access the resource. Even if
the user can manipulate the URL or parameters, the server should validate their
session and permission before allowing access.
Use indirect references: Instead of directly exposing internal resource identifiers
(like user IDs or file names), use random or encoded tokens that can't be easily
guessed or manipulated.
Check authorization at every level: Even if a user is logged in, the application
should verify whether they are allowed to access the resource based on their role
or permissions (RBAC or ABAC).

Validate all redirect URLs: Ensure that all URLs used for redirects are validated to
prevent users from being redirected to untrusted or malicious websites. Use a
whitelist of allowed URLs and only redirect to these URLs.

You might also like