we have security issue ( request Interception) 

security team using Burp Suite tool to intercept the request while call DB and can access the payload and change parameters value

Any recommendation for this issue

How to Test for It

1. Intercept the request  of submit the request using tools like Burp Suite or Postman 

1. Tamper with API requests
2. POST /rest/bpm/wle/v1/coachflow/service/1.f44338c6-11f2-44eb-a8d5-ab9447d6ed44?modelID=1.1a5fdee9-dfa2-4977-94ef-16c6f3e8ddf7&callActivityID=2025.1db0d5cf-1037-41e0-8619-f0573d0cc616&branchId=2063.7ebb6b21-2319-4260-83d7-ac5d7ee2086e
3. "creatorFullName":"Mohamed Sobhy",
4. "creatorIDNumber":"1111111111",
5. "creatorAgency":"AAAAAAAAA",
6. Check the request , you will find the request after change.

------------------------------
Mohamed Sobhy
------------------------------

We encountered this and fixed for several customers who are using CP4BA. Pl email me at nupasani@yrssolutions.com to discuss further, if interested.

Nitin

------------------------------
Nitin Upasani
------------------------------

Is your concern

1) burp suite was able to modify the request between browser and server

or

2) this user should not have been able to send these values to the server. You have client side restrictions that would not have allowed the user to select this creatorAgency for example 

?

If this server side service creates something (e.g. a document or a request in some database), then, you should not pass the creator's name from the browser to the server, but at the server side determine "the current user" as which the request executes using JS APIs.

------------------------------
Jens Engelke
------------------------------

Hi Team,

I have many security defects reported from my side also regarding Pentest activities applied by Egypt CBE Bank (InovaSys Company)

We opened also multiple tickets and with we came to conclusion that product is working as designed and we should open a REF (Request For Enhancement).

Also I have another idea,

@Mohamed Sobhy

I think to avoid intercepting your API request, you should apply custom encryption over your data from client side and token to your service ( eg. JWT Token )

and in service flow side you should decrepit this logic to get your coach data (however this could produce performance bottleneck) based on how many services used and you should refactor the designed human services.

Also I am interested with solution that @Nitin Upasani applied I have sent an email to get more details.

------------------------------
Mohammed Shaker
IBM CP4BA Team Lead
Valleysoft
Nasr City
01007073310
------------------------------

Original Message:
Sent: Fri September 19, 2025 02:10 AM
From: Jens Engelke
Subject: Missing Access control

Is your concern

1) burp suite was able to modify the request between browser and server

or

2) this user should not have been able to send these values to the server. You have client side restrictions that would not have allowed the user to select this creatorAgency for example 

?

If this server side service creates something (e.g. a document or a request in some database), then, you should not pass the creator's name from the browser to the server, but at the server side determine "the current user" as which the request executes using JS APIs.

------------------------------
Jens Engelke
------------------------------