Exploiting the Broken Access Control Vulnerability in the Orami Application for Order Cancellation and User Impersonation

Authors

  • Ahmad Ray Septa Firdaus Universitas Singaperbangsa Karawang
  • Apriade Voutama Singaperbangsa Karawang University

https://doi.org/10.36342/teika.v13i02.3113

Keywords:

Website, Penetration Testing, Broken Access Control, Burp Suite

Abstract

Orami is an e-commerce website that provides products for babies, children, and pregnant women. This research discusses a vulnerability in the Orami website that allows an attacker to cancel orders from another user's account and impersonate their identity. The potential impact of exploiting this vulnerability could lead to a loss of user trust in the Orami site, especially if it is widely abused. Additionally, financial losses could occur if many orders are canceled fraudulently and users choose to purchase from other sites deemed more secure. The vulnerability was exploited by obtaining the victim's order code through the order history feature and then modifying the parameter value in the cancellation order feature on the attacker's account. This research includes vulnerability analysis, impact evaluation, solution identification, vulnerability reporting, and solution implementation. The results of the study show that the Orami website is vulnerable to Broken Access Control attacks and the website developers has fixed the vulnerability.

Article Metrics

Downloads

Download data is not yet available.

References

B. Prabaningrum, A. Voutama, and N. Heryana, “BERBASIS WEBSITE DALAM PENGELOLAAN LABA RUGI ( STUDI KASUS : CV GEGER HANJUANG ),” vol. 7, no. 1, pp. 671–680, 2023.

A. Voutama and E. Novalia, “Perancangan Aplikasi M-Magazine Berbasis Android Sebagai Sarana Mading Sekolah Menengah Atas,” J. Tekno Kompak, vol. 15, no. 1, p. 104, 2021, doi: 10.33365/jtk.v15i1.920.

A. V. E. R. Ramadhan, K. Prihandani, “Penerapan Metode Agile Pada Development Aplikasi Pengelolaan Data Magang Berbasis Web Menggunakan Framework Laravel,” J. Ilm. Wahana Pendidik., vol. 9, no. April, pp. 144–154, 2023.

C. Oktavia, A. Voutama, and B. A. Dermawan, “Sistem Pakar Diagnosis Hama Dan Penyakit Tanaman Stroberi Dengan Metode Certainty Factor Berbasis Web,” J. Ilm. Wahana Pendidik., vol. 8, no. 15, pp. 117–127, 2022, [Online]. Available: https://doi.org/10.5281/zenodo.7040696

E. Novalia and A. Voutama, “Black Box Testing dengan Teknik Equivalence Partitions Pada Aplikasi Android M-Magazine Mading Sekolah,” Syntax J. Inform., vol. 11, no. 01, pp. 23–35, 2022, doi: 10.35706/syji.v11i01.6413.

Y. Yudiana, A. Elanda, and R. L. Buana, “Analisis Kualitas Keamanan Sistem Informasi E-Office Berbasis Website Pada STMIK Rosma Dengan Menggunakan OWASP Top 10,” CESS (Journal Comput. Eng. Syst. Sci., vol. 6, no. 2, p. 185, 2021, doi: 10.24114/cess.v6i2.24777.

Divyaniyadav, D. Gupta, D. Singh, D. Kumar, and U. Sharma, “Vulnerabilities and security of web applications,” 2018 4th Int. Conf. Comput. Commun. Autom. ICCCA 2018, pp. 1–5, 2018, doi: 10.1109/CCAA.2018.8777558.

A. W. Wardhana and H. B. Seta, “Analisis Keamanan Sistem Pembelajaran Online Menggunakan Metode ISSAF pada Website Universitas XYZ,” Inform. J. Ilmu Komput., vol. 17, no. 3, p. 226, 2021, doi: 10.52958/iftk.v17i3.3653.

S. Hidayatulloh and D. Saptadiaji, “Penetration Testing pada Website Universitas ARS Menggunakan Open Web Application Security Project (OWASP),” Jurnal Algoritma, vol. 18, no. 1. pp. 77–86, 2021. doi: 10.33364/algoritma/v.18-1.827.

M. Agreindra Helmiawan, E. Firmansyah, I. Fadil, Y. Sofivan, F. Mahardika, and A. Guntara, “Analysis of Web Security Using Open Web Application Security Project 10,” 2020 8th Int. Conf. Cyber IT Serv. Manag. CITSM 2020, 2020, doi: 10.1109/CITSM50537.2020.9268856.

M. Rafi Ramdani, N. Heryana, and A. Susilo Yuda Irawan, “Penetration Testing pada Website Universitas Singaperbangsa Karawang Menggunakan Open Web Application Security Project (OWASP),” J. Pendidik. dan Konseling, vol. 4, no. 4, pp. 5522–5529, 2022.

Downloads

Published

2023-10-31

How to Cite

Septa Firdaus, A. R., & Voutama, A. (2023). Exploiting the Broken Access Control Vulnerability in the Orami Application for Order Cancellation and User Impersonation. TeIKa, 13(02), 113-120. https://doi.org/10.36342/teika.v13i02.3113

Issue

Vol. 13 No. 02 (2023): TeIKa: October 2023

Section

Articles

License

Copyright (c) 2023 TeIKa

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

The submitting author warrants that the submission is original and that she/he is the author of the submission together with the named co-authors; to the extend the submission incorporates text passages, figures, data or other material from the work of others, the submitting author has obtained any necessary permission.

Articles in this journal are published under the Creative Commons Share Alike Attribution Licence (CC-BY-SA  What does this mean?). This is to get more legal certainty about what readers can do with published articles, and thus a wider dissemination and archiving, which in turn makes publishing with this journal more valuable for you, the authors.

By submitting an article the author grants to this journal the non-exclusive right to publish it. The author retains the copyright and the publishing rights for his article without any restrictions.