[
https://issues.apache.org/jira/browse/FINERACT-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin McDonald updated FINERACT-2126:
-------------------------------------
Description: [Redacted] (was: h2. Description
An attacker can bypass the authentication mechanism of the application and view
the internal portal via response manipulation.
h2. Reproduction Steps
1- Visit the following URL: [https://demo.mifos.io|https://demo.mifos.io/] or
https://openmf.github.io/web-app/
2- Enter any invalid credentials i.e. {{test:test}}
3- Click on {{Login}} and make sure to intercept the request using BurpSuite
Tool.
4- After intercepting the following request: {{POST
/fineract-provider/api/v1/authentication}} , right click and select *Do
intercept* → *Response to this request.*
5- The response received displays 401 Unauthorized, now change the {{401
Unauthorized}} to {{200 OK}} and *httpStatusCode* from *401* to {*}200{*},
forward the request and turn off the intercept.
6- Notice you have anonymously logged into the application.
h2. Impact Details
This type of attack can help the attackers view the internal dashboards of the
application and get a better understanding to launch a more sophisticated
attack.)
> Authentication Bypass via Response Manipulation
> -----------------------------------------------
>
> Key: FINERACT-2126
> URL: https://issues.apache.org/jira/browse/FINERACT-2126
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: security, web
>
> [Redacted]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
