The bank job

This post shares a list of vulnerabilities of a mobile app of an Indian bank.

0x01. SSLv3.0

这是一个我们遗留的Test case. 将来我们应该用Openssl检测一下。

0x02. SessionIds not refreshed after logon

Before logon, the app would issue a request to check if current ver is the latest. The request returns a sessionid, and it could be used to get account balance.

==Test case: Use the old sessionid to replay the request. ==

0x03. SessionIds not terminated properly

There were no session invalidation controls on the backend. Unless the App manually invoked the session destroy API, the SessionID lives forever.

0x04. Front end validation

Only Front end validation implements. Could be bypassed easily.

0x05. Design flaw

OTP is required when transfering money. However, the app does not check if the given OTP belongs to the sender''s account. An attack could use this OTP to get validated.

Additionally, the sms notification contains a flaw. It gets the mobile no. from the customeID, which the attacker could replace his. So that the notification would be sent to the attacker.

参考

The Bank Job',NULL,'

This post shares a list of vulnerabilities of a mobile app of an Indian bank.

0x01. SSLv3.0

这是一个我们遗留的Test case. 将来我们应该用Openssl检测一下。

0x02. SessionIds not refreshed after logon

Before logon, the app would issue a request to check if current ver is the latest. The request returns a sessionid, and it could be used to get account balance.

Test case: Use the old sessionid to replay the request.

0x03. SessionIds not terminated properly

There were no session invalidation controls on the backend. Unless the App manually invoked the session destroy API, the SessionID lives forever.

0x04. Front end validation

Only Front end validation implements. Could be bypassed easily.

0x05. Design flaw

OTP is required when transfering money. However, the app does not check if the given OTP belongs to the sender''s account. An attack could use this OTP to get validated.

Additionally, the sms notification contains a flaw. It gets the mobile no. from the customeID, which the attacker could replace his. So that the notification would be sent to the attacker.

参考

The Bank Job

Show Comments