Peter Chen created FINERACT-2126:
------------------------------------
Summary: Authentication Bypass via Response Manipulation
Key: FINERACT-2126
URL: https://issues.apache.org/jira/browse/FINERACT-2126
Project: Apache Fineract
Issue Type: Bug
Components: Client, Security
Reporter: Peter Chen
h2. Description
An attacker can bypass the authentication mechanism of the application and view
the internal portal via response manipulation.
h2. Reproduction Steps
1- Visit the following URL: [https://demo.mifos.io|https://demo.mifos.io/] or
https://openmf.github.io/web-app/
2- Enter any invalid credentials i.e. {{test:test}}
3- Click on {{Login}} and make sure to intercept the request using BurpSuite
Tool.
4- After intercepting the following request: {{POST
/fineract-provider/api/v1/authentication}} , right click and select *Do
intercept* → *Response to this request.*
5- The response received displays 401 Unauthorized, now change the {{401
Unauthorized}} to {{200 OK}} and *httpStatusCode* from *401* to {*}200{*},
forward the request and turn off the intercept.
6- Notice you have anonymously logged into the application.
h2. Impact Details
This type of attack can help the attackers view the internal dashboards of the
application and get a better understanding to launch a more sophisticated
attack.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
