Response manipulation¶
Vulnerability Name¶
Response manipulation at [Parameter] in [Module/Functionality]
Vulnerability Description¶
A client-side resource manipulation vulnerability is an input validation flaw. It occurs when an application accepts user-controlled input that specifies the path of a resource such as the source of an iframe, JavaScript, applet, or the handler of an XMLHttpRequest.
This vulnerability consists of the ability to control the URLs that link to some resources present in a web page. The impact of this vulnerability varies, and it is usually adopted to conduct XSS attacks. This vulnerability makes it is possible to interfere with the expected application’s behavior by causing it to load and render malicious objects.
Add your specific vulnerability description if required, the one given above is a general description.
Steps to Reproduce¶
- Log in the application.
- Intercept the request in burp suite.
- Select the option: Do Intercept -> Response to this request.
- Alter the value of [Vulnerable Parameter] and send the request.
- Alter the value of [Vulnerable Parameter] and in the incoming response.
- Turn off the intercept and observe the change in application.
POC¶
Modify the steps to reproduce above if required. Attach snapshots (POC) or a video link here.
Impact¶
Attacker can interfere with the expected application’s behavior by causing it to load and render malicious objects. It enables them to potentially deliver misleading, unauthorized, or malicious content to end-users.
Add your specific impact if required, the one given above is a general impact.
Remediation¶
- Do not use static response for validating authentication.
- Always place server-side validation on each request and validate users.
- Choose the appropriate token for the level of risk of the transaction.
- Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
Add your specific remediation if required, the above is a general remediation.