BPM, Workflow, and Case

BPM, Workflow, and Case

Come for answers. Stay for best practices. All we’re missing is you.

 View Only

  • 1.  Missing Access control

    Posted Thu September 18, 2025 09:54 AM

    we have security issue ( request Interception) 

    security team using Burp Suite tool to intercept the request while call DB and can access the payload and change parameters value

    Any recommendation for this issue

    How to Test for It

    1. Intercept the request  of submit the request using tools like Burp Suite or Postman 
    1. Tamper with API requests
    2. POST /rest/bpm/wle/v1/coachflow/service/1.f44338c6-11f2-44eb-a8d5-ab9447d6ed44?modelID=1.1a5fdee9-dfa2-4977-94ef-16c6f3e8ddf7&callActivityID=2025.1db0d5cf-1037-41e0-8619-f0573d0cc616&branchId=2063.7ebb6b21-2319-4260-83d7-ac5d7ee2086e
    3. "creatorFullName":"Mohamed Sobhy",
    4. "creatorIDNumber":"1111111111",
    5. "creatorAgency":"AAAAAAAAA",
    6. Check the request , you will find the request after change.


    ------------------------------
    Mohamed Sobhy
    ------------------------------


  • 2.  RE: Missing Access control

    Posted Thu September 18, 2025 09:58 AM

    We encountered this and fixed for several customers who are using CP4BA. Pl email me at nupasani@yrssolutions.com to discuss further, if interested.

    Nitin



    ------------------------------
    Nitin Upasani
    ------------------------------

    Original Message


  • 3.  RE: Missing Access control

    Posted Fri September 19, 2025 02:11 AM

    Is your concern

    1) burp suite was able to modify the request between browser and server

    or

    2) this user should not have been able to send these values to the server. You have client side restrictions that would not have allowed the user to select this creatorAgency for example 

    ?

    If this server side service creates something (e.g. a document or a request in some database), then, you should not pass the creator's name from the browser to the server, but at the server side determine "the current user" as which the request executes using JS APIs.



    ------------------------------
    Jens Engelke
    ------------------------------

    Original Message


  • 4.  RE: Missing Access control

    Posted Mon September 22, 2025 03:42 AM

    Hi Team,

    I have many security defects reported from my side also regarding Pentest activities applied by Egypt CBE Bank (InovaSys Company)

    We opened also multiple tickets and with we came to conclusion that product is working as designed and we should open a REF (Request For Enhancement).

    Also I have another idea,

    @Mohamed Sobhy

    I think to avoid intercepting your API request, you should apply custom encryption over your data from client side and token to your service ( eg. JWT Token )

    and in service flow side you should decrepit this logic to get your coach data (however this could produce performance bottleneck) based on how many services used and you should refactor the designed human services.

    Also I am interested with solution that @Nitin Upasani applied I have sent an email to get more details.



    ------------------------------
    Mohammed Shaker
    IBM CP4BA Team Lead
    Valleysoft
    Nasr City
    01007073310
    ------------------------------

    Original Message


Related Content