Improper Implementation of Business Logic
Created by: armorcodegithubapp[bot]
Here in ArmorCode platform a BU level admin was able to add a user in different BU for which he / she doesn’t have access to just by manipulating the request passed to the server.
Mitigation: To mitigate this issue following appraoches can be followed: Keep critical information on the server side, and only send session IDs to the client. Tamper-proof the data sent to the client, by using a digital signature. Encrypt the data sent to the client, so it is opaque to the client.
https://app.armorcode.com/#/findings/68603854
Knowledge Base: link ticket:https://app.armorcode.com/#/knowledgeBase/777