BPM, Workflow, and Case

 View Only

 BAW Security Defect

Mohamed Sobhy's profile image
Mohamed Sobhy posted Sun September 21, 2025 03:33 AM

Dears, We have security issue (Request Interception)

How to Test for It

  1. Intercept the request  of submit the request using tools like Burp Suite or Postman 
  1. Tamper with API requests
  2. POST /rest/bpm/wle/v1/coachflow/service/1.f44338c6-11f2-44eb-a8d5-ab9447d6ed44?modelID=1.1a5fdee9-dfa2-4977-94ef-16c6f3e8ddf7&callActivityID=2025.1db0d5cf-1037-41e0-8619-f0573d0cc616&branchId=2063.7ebb6b21-2319-4260-83d7-ac5d7ee2086e
  3. "creatorFullName":"Test",
  4. "creatorIDNumber":"1111111111",
  5. "creatorAgency":"TestAgency",
  6. Check the request , you will find the request after change.

By using Burp suite , security test team can intercept while the request submitted, Intercept it and update payload data which change the main request data

Jens Engelke's profile image
Jens Engelke posted Mon September 22, 2025 01:58 AM

Mohammed, 

the steps appear to be the same as in your post at https://community.ibm.com/community/user/discussion/missing-access-control#bmd2c22511-3831-4719-b950-019960970819

While the other post is titled "missing access control", this one talks about tampering traffic in transit. I strongly recommend, you connect with your penetration testing team and find out, what their exact concern is: missing access control or tampering with traffic.

Regarding missing access control, you must ensure that your server side code only accepts parameter values that the current user is entitled to send. You can use BAW's JavaScript APIs to determine the current user name, group memberships and even team memberships. You can call out to backend systems and look up database tables to implement your custom implementation logic. The product as such cannot have any built-in access control which users are authorized to post requests for "TestAgency" as this agency concept is not a product concept.

Regarding tampering with traffic: This only works after the end user carelessly clicked away the browser warning that said: "Your traffic is insecure. Attackers may read or modify...". This is because burp suite will not have a trusted certificate for the target hostname. This behavior is the same for all web applications. If you cannot trust your HTTPS infrastructure, your traffic is not safe.

Mohammed Shaker's profile image
Mohammed Shaker posted Mon September 22, 2025 03:42 AM

Hi Team,

I have many security defects reported from my side also regarding Pentest activities applied by Egypt CBE Bank (InovaSys Company)

We opened also multiple tickets and with we came to conclusion that product is working as designed and we should open a REF (Request For Enhancement).

Also I have another idea,

@Mohamed Sobhy

I think to avoid intercepting your API request, you should apply custom encryption over your data from client side and token to your service ( eg. JWT Token )

and in service flow side you should decrepit this logic to get your coach data (however this could produce performance bottleneck) based on how many services used and you should refactor the designed human services.

Also I am interested with solution that @Nitin Upasani applied I have sent an email to get more details.

Jens Engelke's profile image
Jens Engelke posted Mon September 22, 2025 04:27 AM

@Mohammed Shaker

Re: I think to avoid intercepting your API request, you should apply custom encryption over your data from client side and token to your service ( eg. JWT Token )

How would you transmit the encryption key from server to the browser? Burp suite was established as a man-in-the-middle. That is, it can see and modify all traffic. It will see the key and can use it to encrypt/sign its modified request.

Mohammed Shaker's profile image
Mohammed Shaker posted Mon September 22, 2025 06:40 AM

Hi @Jens Engelke,

I didn't mention using certificate keys, 

below is just an example of how to implement it using custom encryption logic.

const signature              = `${method.toUpperCase()}/${endpoint}${timeStamp}${nonce}${data}${channel}`;
const HMAC_Signature = crypto.createHmac('sha256', secureHashKey.key).update(signature).digest('base64'); // Or Any Encryption Logic
const token                    = Buffer.from(`${HMAC_Signature}:${nonce}:${timeStamp}`).toString('base64');
and sign the above token to generate this token and in service flow you can parse / decrypt this.
and from network call I will not see the original data I will see only weird token which I don't know how it was encrypted.

Jens Engelke's profile image
Jens Engelke posted Mon September 22, 2025 09:04 AM

@Mohammed Shaker Your code is creating a signed JWT. The signature uses secureHashKey.key. That's a key that browser and server must have agreed on in order for the server to verify the signature.

If you cannot trust communication between server and browser, then the two cannot agree on a key either.

As the attacker is assumed to be capable of intercepting traffic, he can see the key and sign his own messages in JWT format.

Being able to read and modify traffic, burp suite could even inject additional JavaScript into the browser to modify the message before signing.

Mohammed Shaker's profile image
Mohammed Shaker posted Thu October 02, 2025 03:16 AM

Hi ,

You can send additional input called "_token" which is your object data encrypted by some logic the shared from my side in previous comment is just an example and in your service flow (backend) you can encrypt your object again  and compare recieved token (input) and generated token in service if same then proceed with service flow logic if not then you can reach service end or throw excception with needed message.

Jens Engelke's profile image
Jens Engelke posted Thu October 02, 2025 03:34 AM

Hi @Mohammed Shaker

the assumption is: there is a man-in-the-middle, who can read and modify all network traffic between browser and server.

In this position, this man-in-the-middle

  • can see any encryption key being exchanged between browser and server
  • can see all logic (JavaScript code), which the server sends to the browser in order to hash or encrypt input data into _token
  • remove the encryption logic from the JavaScript code
  • modify the key seen by the client
  • apply the key provided by the server to encrypt modified user input

If this connection is not considered safe for your data, how would be safe to transmit key material or client-side application code?

Related Content