Voidager88/PoC_CVE-2022-29950

## PoC_CVE-2022-29950
*** Revoking Request ***

[Product Description]
Experian Hunter is ideal to prevent application fraud for any organisation that deals with application fraud data across multiple channels.

[Details]
The current Rules and Subrules pages were vulnerable to Modification of Assumed-Immutable Data (MAID) vulnerability. The application does not properly protect assumed-immutable information, such as names and categories of existing Rules and Subrules, from being modified. By default, The application does not allow user to modify the names or categories of existing Rules and Subrules. It only allows user to change the description and criteria of Rules and Subrules.

[Impact]
The successful exploitation of this vulnerability may result in the addition or modification of data. If the data is tampered with, it becomes untrustworthy. The manipulated data may provide unexpected results when the data is processed.

[Affected component]
Experian Hunter 1.16

[Attack Type]
Remote

[PoC]
Case 1: Editing the name of existing Rules
1. Using Burp Suite to intercept the request while updating existing Rules, add the parameter: txtRuleName$textbox={RULE_NAME_CHANGE}, which is the name of Rules, to the request body and submit the updated request to the server.
2. The modified Rules name will be shown on the Rules list page.

Case 2: Editing the name of existing Subrules
1. Using Burp Suite to intercept the request while updating existing Subrules, add the parameter: txtSubRule$textbox={SUBRULE_NAME_CHANGE}, which is the name of Subrules, to the request body and submit the updated request to the server.
2. The modified Subrules name will be shown on the Subrules list page.

Case 3: Editing the category of existing Subrules
1. Using Inspect Element on the web browser to inspect the element of Categories field, and delete the HTML attribute: disabled="disabled".
    eg. change from <select name="drpCategories" id="drpCategories" disabled="disabled"> to <select name="drpCategories" id="drpCategories">
2. Then the Categories could be changed to the others from the drop down list. However, a new criteria must be added when the category is changed.
3. When using Burp Suite to intercept the request while updating the changes, the parameter: drpCategories={CATEGORY_NAME} will be sent along with the request.
4. The category will be successfully changed to another category if the user revisits the modified Subrules.

Note: If the parameter: drpCategories={CATEGORY_NAME} is added to the intercepted request without specifying the new criteria for each category, an error occurs, preventing the user from accessing that Subrules page.
	* Revoking Request *

	[Product Description]
	Experian Hunter is ideal to prevent application fraud for any organisation that deals with application fraud data across multiple channels.

	[Details]
	The current Rules and Subrules pages were vulnerable to Modification of Assumed-Immutable Data (MAID) vulnerability. The application does not properly protect assumed-immutable information, such as names and categories of existing Rules and Subrules, from being modified. By default, The application does not allow user to modify the names or categories of existing Rules and Subrules. It only allows user to change the description and criteria of Rules and Subrules.

	[Impact]
	The successful exploitation of this vulnerability may result in the addition or modification of data. If the data is tampered with, it becomes untrustworthy. The manipulated data may provide unexpected results when the data is processed.

	[Affected component]
	Experian Hunter 1.16

	[Attack Type]
	Remote

	[PoC]
	Case 1: Editing the name of existing Rules
	1. Using Burp Suite to intercept the request while updating existing Rules, add the parameter: txtRuleName$textbox={RULE_NAME_CHANGE}, which is the name of Rules, to the request body and submit the updated request to the server.
	2. The modified Rules name will be shown on the Rules list page.

	Case 2: Editing the name of existing Subrules
	1. Using Burp Suite to intercept the request while updating existing Subrules, add the parameter: txtSubRule$textbox={SUBRULE_NAME_CHANGE}, which is the name of Subrules, to the request body and submit the updated request to the server.
	2. The modified Subrules name will be shown on the Subrules list page.

	Case 3: Editing the category of existing Subrules
	1. Using Inspect Element on the web browser to inspect the element of Categories field, and delete the HTML attribute: disabled="disabled".
	eg. change from <select name="drpCategories" id="drpCategories" disabled="disabled"> to <select name="drpCategories" id="drpCategories">
	2. Then the Categories could be changed to the others from the drop down list. However, a new criteria must be added when the category is changed.
	3. When using Burp Suite to intercept the request while updating the changes, the parameter: drpCategories={CATEGORY_NAME} will be sent along with the request.
	4. The category will be successfully changed to another category if the user revisits the modified Subrules.

	Note: If the parameter: drpCategories={CATEGORY_NAME} is added to the intercepted request without specifying the new criteria for each category, an error occurs, preventing the user from accessing that Subrules page.