Therefore, an attacker can easily change or delete a personal data (such as name, phone, email, etc.) without the user’s approval. The following image shows this problem.

Access to the /ip/admin/ page is normally restricted through the use of basic HTTP authentication. However, the Edoc-doctor-appointment-system v1.0.1 application does not enforce this restriction. An attacker can easily exploit this vulnerability by sending a request with a valid session cookie. The attacker can then access and edit the Administrator data. Note: The Edoc-doctor-appointment-system v1.0.1 application accepts both HTTP and HTTPS requests. Therefore, the issue can be exploited regardless of the protocol used.

Common Web Application Security Weaknesses

There are many common web application security weaknesses such as this one. The following list provides some examples of these weaknesses and how they can be fixed.
- Using HTTP instead of HTTPS
- Lack of session management
- Using weak passwords or the use of hard coded credentials
- Not restricting access to administrative pages
To mitigate this issue, an organization could deploy a Web Application Firewall (WAF) to help prevent attacks from succeeding.


Published on: 08/26/2022 21:15:00 UTC
Last modified on: 08/31/2022 18:46:00 UTC