Hello Katalon Team @albert.vu @Elly_Tran @vu.tran
I would like to report a bug on the Katalon TestOps platform
*Summary
By modifying the HTML code directly in the browser, I was able to bypass the disabled
attribute on certain input fields and buttons. This allowed me to submit data that was supposed to be restricted, potentially leading to unintended actions or manipulation of restricted fields.
*Steps to reproduce
- Navigate to the webpage : Katalon TestOps
- Open the browser’s Developer Tools (e.g., by pressing F12 on Chrome).
- Inspect the disabled
Create Trial Katalon Studio Enterprise Offline License
button to get the URL - Open the URL
- Open the browser’s Developer Tools (e.g., by pressing F12 on Chrome).
- Inspect the disabled
Machine ID
textfield - Remove the
disabled
attribute from the HTML using the Developer Tools for theMachine ID
textfield - Inspect the disabled
Create
button - Remove the
disabled
attribute from the HTML using the Developer Tools for theCreate
button - Enter data into the previously disabled input field and submit the form.
- Observe that the data is successfully submitted, despite the field being disabled in the original page.
*Expected Results
- Input fields and buttons with the disabled attribute should remain uneditable and unclickable, even when the HTML code is manually modified using browser developer tools.
- Submitting data through disabled fields or buttons should be prevented by server-side validation, ensuring that unauthorized or unintended actions are not processed.
- Files generated through tampered fields should not be valid for activating Katalon Studio.
- A proper error message should be displayed if tampered data is detected, maintaining system integrity.
*Actual Results
- The disabled attribute on input fields and buttons can be bypassed by directly modifying the HTML in the browser.
- The Machine ID field and Create button, which are supposed to be restricted, became editable and clickable after removing the disabled attribute via browser developer tools.
- Data entered into these tampered fields was successfully submitted and processed by the system without any validation or restriction.
- Files generated from the tampered fields were valid and could be used to activate Katalon Studio, allowing for unauthorized or unintended activations.
- No error message or server-side validation prevented the unauthorized submission of data or the validity of generated files.
*Screenshots / Videos
*Blocker?
No
Number of affected users?
All of the Katalon TestOps users.
*Operating System
MacOS Sequoia
*Katalon Studio version
All of Katalon Studio version
*Katalon Studio logs
.