There are multiple endpoints in the application that are vulnerable.
1. An user with least privileges has access to the endpoint is able to change cloud and OLAP configuration parameters.
2. An user with least privileges can see and generate reports of other organizations that should not be accessible to the user.
3. Any user has access to internal paths like that should be reachable only for an admin user.
Assuming a user with a given identity, authorization is the process of determining whether that user can access
a given resource, based on the user's privileges and any permissions or other access-control specifications that
apply to the resource.
When access control checks are not applied consistently - or not at all - users are able to access data or perform
actions that they should not be allowed to perform. This can lead to a wide range of problems, including
information exposures, denial of service, and arbitrary code execution.
A more specific test to check would be to check if any given user is able to access other users resources. Users
should only be able to access functions, data files, URLs, controllers, services, and other resources, for which
they possess specific authorization. This implies protection against spoofing and elevation of privilege.
Recommended Comments
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now