Hi all,
I'm facing an issue where an Ignition (Perspective) web client keeps failing a penetration test. Below are the key findings from the test report:
- Unauthorized Data Access – Using Burp Suite to intercept and manipulate requests while loading a dashboard page, the tester was able to access data from sites other than the user’s authorized site.
- Admin Panel Partial Exposure – When attempting to access the admin panel, a partial view was loaded initially (without data or functionality). However, after disabling interception, an "Access Denied" message was displayed.
- Restricted UI Element Exposure – A dropdown box for site selection intended to be visible only to administrators was accessible.
Steps I’ve taken so far:
- Set up security levels and permissions for views, ensuring they match the required security levels.
- Checked component visibility settings and role-based security.
Has anyone encountered similar issues, and how can I prevent unauthorized UI exposure and data access through request interception?
Thanks in advance for any suggestions!