Minor Severity : low
Criticality Justification
An attacker could maliciously cause an exception that could crash the application, potentially resulting in a denial of service (DoS) or the application may throw error messages which help an attacker to craft the different attack.
Steps To Reproduce
Step 1: Login with a user to the platform, can be regular user or admin
Step 2: Execute the following POST request to the endpoint /nuxeo/api/v1/automation/User.GetUserWorkspace modifying the params, sending a string.
Similar scenarios can be seen across the app when not sending the correct body for POST requests not sending the correct header. (https://api.us.cobalt.io/v1/attachments/att_f4d3FX7/preview)
Suggested Fix
- Use custom error messages or generic warnings that do not disclose any information about the application or server.
- Remove default web server pages.
- Perform proper error handling at the code level. Refer to error handling information in the references section.
- Avoid providing stack trace error messages.
- Implement a proper error handling policy so that all web applications have the same standards for error handling.
- Determine which information can be displayed to the user, and which information should be logged as a part of error handling. "
Prerequisites
Authenticated user required