Hyland Connect

hardik_thakkar · ‎04-25-2020

Hi Team,

After user login page and before dashboard page landing, security testing team is able to change the logged in user name.

They are using Burp Suite tool to intercept the request.

Let say user1 is logging and in the request interceptor they are changing name to admin and admin user logs in.

How can we stop this thing?

Thanks,

Hardik

afaust · ‎04-26-2020

Are they absolutely certain they really were able to change the logged in users identity, or not just the a secondary utility cookie used for a redirect?

Without a more detailed explanation of how they achived this and what they changed at what point, e.g. by having a series of automated cURL calls and command line examples to change the cookie jar to consistently replay this, or a recorded HTTP package trace, it will be difficult to give you any input on how you can "stop this thing".

Kishi1lam · ‎04-27-2020

Hey, Hardik! In the Admin console, admins can view only the information and perform only the tasks that their role's privileges allow. For example, you assign the pre-built User Management role to someone. Then they can view and modify only specific user profile and settings for people who aren’t admins. Before you start. Decide whether you want to assign a pre-built system role or create a custom role. To view the system roles and any existing custom roles in the Admin console: You must be signed in as a super administrator for this task. From the Admin console Home page, go to Admin roles. Then you can change the settings, if it doesn't work, I have no idea what to do.

Hyland Connect

Security issue Cookie manipulation