openPR Logo
Press release

Must Know Business Logic Vulnerabilities In Banking Applications

01-29-2013 06:38 PM CET | Media & Telecommunications

Press release from: iViZ Security

iViZ Security - Cloud Based Application Penetration Testing

iViZ Security - Cloud Based Application Penetration Testing

Over the last few years, our On-Demand and Hybrid Penetration Testing platform has performed security testing of applications across various verticals and domains including Banking, e-commerce, Manufacturing, Enterprise Applications, Gaming and so on. On one side, SQL Injection, XSS and CSRF vulnerabilities are still the top classes of vulnerabilities found by our automated scanning system, on the other hand however, there are a lot of business logic vulnerabilities that are often found by our security experts powered by a comprehensive knowledge base.

A business logic vulnerability is defined as security weakness or bug in the functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners.

In this blog we are sharing the top commonly found Business Logic Vulnerabilities in the Virtual Credit Creation (VCC) module of a Banking Application.

Consider the following scenario: A Banking Application provides web based functionality to users to pay Bills Online as well as to create and manage Virtual Credit Cards. Virtual Credit cards are used to shop online. A Virtual Credit Card creation use case involves the following steps:
1. User visits banking application.
2. User opts to create virtual credit card.
3. User fills up personal details, required amount, expiry date of VCC etc.
4. User chooses a payment gateway.
5. User fills up credit / debit card details.
6. Banking Application redirects user to a Payment Gateway.
7. Required amount + Service Charge are debited from user’s Debit / Credit card.
8. Payment Gateway redirects user to a Callback URL provided by the Banking Application.
9. Banking Application verifies the Payment Gateway confirmation.
10. Banking Application generates a CVV number.
11. Banking Application presents VCC details to the user.
12. Banking application performs SMS verification of the user.

A couple of security weaknesses that are found in the above scenario are as follows:

TAMPERING OF DATA COMMUNICATION BETWEEN PAYMENT GATEWAY AND BANKING APPLICATION:
Weaknesses: The Banking application does not verify whether the required amount is successfully paid at the Payment Gateway Side, or what amount is being paid at the Payment Gateway Side. As a result, a virtual card can be recharged with higher amount while paying a lower amount to the bank by modifying amount when the request is sent from payment gateway to the bank.

Mitigation: There should be sufficient validations between the Banking application and the payment gateway. The callback URL should not be allowed to be directly controlled by an attacker.

NO VALIDATION ON BANKING APPLICATION’S CALLBACK URL
Weakness: There is lack of validation on the Banking Application Side when the Payment Gateway redirects a user to the Banking Application’s callback URL. As a result, a virtual credit card can be created without paying any service charges, by sending the request directly to the callback URL of Payment Gateway.

Mitigation: There should be enough validations on the callback URL including whether the URL is redirected by the Payment Gateway or directly called by an attacker.

VIRTUAL CREDIT NUMBER IS PREDICTABLE
Weakness: Generated Virtual Credit card numbers are predictable or follow certain patterns. As a result, an attacker can predict what virtual credit card numbers are being used by other legitimate users.

Mitigation: Virtual Credit Card numbers should be sufficiently random.

NO ANTI-AUTOMATION IN VIRTUAL CREDIT CARD DETAILS VERIFICATION
Weakness: There is no anti-automation (e.g. CAPTCHA) while verifying the Virtual Credit Card details such as CVV number and expiry date. The Credit Card number is sufficiently long however, the CVV number is generally a 3 digit number and expiry date is also a 2 digit number. As a result, it is possible to bruteforce the CVV number and expiry date, and shop online using a stolen virtual credit card number.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while verifying the CVV numbers along with the Credit Card Number.

NO ANTI-AUTOMATION IN CARD CREATION PROCESS
Weakness: There is no anti-automation while creating a virtual credit card. An attacker can use automated scripts to exhaust credit card numbers. As a result, Credit Card Numbers can be exhausted and be therefore made unavailable to users leading to a Denial of Service (DoS) attack. It can also lead to other attacks including Credit Card Number pattern prediction.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while creating virtual credit card numbers.

iViZ Security is industry's first cloud-based penetration testing service for web applications. Unlike the scanners which lack in quality and the consultants who are expensive, iViZ delivers consultant grade quality testing in SaaS based, cost effective subscription model. iViZ provides "Zero False Positives Guarantee" and advanced business logic testing by leveraging its patent pending "hybrid approach" that integrates automation with manual testing by security experts. More than 300 customers worldwide use iViZ for greater quality, scalability and cost effectiveness.

iViZ Security Inc
365 Boston Post Road
Suite 300
Sudbury, MA 01776

Ph: +1-617-337-3533

This release was published on openPR.

Permanent link to this press release:

Copy
Please set a link in the press area of your homepage to this press release on openPR. openPR disclaims liability for any content contained in this release.

You can edit or delete your press release Must Know Business Logic Vulnerabilities In Banking Applications here

News-ID: 250107 • Views:

More Releases from iViZ Security

iViZ Security recognized as a “Sample Vendor” in Analyst Firm Hype Cycle for Application Security
iViZ Security recognized as a “Sample Vendor” in Analyst Firm Hype Cycle for …
BikashBarai, CEO, iViZ Security – “At iViZ we are committed towards providing highest quality application security testing over the cloud. We believe, Gartner naming iViZ as a sample vendor reinforces our commitment towards our vision to serve our customers better” Gartner provides “High” as benefit rating under the “Application Security as a Service” category and cites several advantages like reduction of upfront costs as well as augmentation of limited internal

More Releases for Application

Butylamine Market Report 2018: Segmentation by Product (Type I, Type II, Type II …
Global Butylamine market research report provides company profile for Daicel Corporation (Japan), E. I. Du Pont De Nemours and Company (USA), Dow Amines (USA), Huntsman International LLC (USA), Air Products and Chemicals, Inc. (USA), Alkyl Amines Chemicals Ltd. (India), Arkema Group (France), Ashland Inc. (USA), BASF SE (Germany), BorsodChem MCHZ, s.r.o. (Czech Republic) and Others. This market study includes data about consumer perspective, comprehensive analysis, statistics, market share, company performances
Ocean Power Market Report 2018: Segmentation by Technology (Tidal power, Wave po …
Global Ocean Power market research report provides company profile for Ocean Power Technologies, OpenHydro, Seabased, Wello Oy, ANDRITZ HYDRO Hammerfest, Atlantis Resources and Others. This market study includes data about consumer perspective, comprehensive analysis, statistics, market share, company performances (Stocks), historical analysis 2012 to 2017, market forecast 2018 to 2025 in terms of volume, revenue, YOY growth rate, and CAGR for the year 2018 to 2025, etc. The report also
POS Printer Market Report 2018: Segmentation by Type (Impact, Thermal, Others) b …
Global POS Printer market research report provides company profile for Bixolon, Boca Systems, Cognitive TPG, CUSTOM SPA, NCR, Pertech Industries, Woosim, Zebra and Others. This market study includes data about consumer perspective, comprehensive analysis, statistics, market share, company performances (Stocks), historical analysis 2012 to 2017, market forecast 2018 to 2025 in terms of volume, revenue, YOY growth rate, and CAGR for the year 2018 to 2025, etc. The report also
High Voltage Super Junction MOSFET Market Report 2018: Segmentation by Type (SMT …
Global High Voltage Super Junction MOSFET market research report provides company profile for Fuji Electric, IceMOS Technology, ROHM, Vishay, DACO Semicondusctor, STMicroelectronics, Renesas Electronics, ON Semiconductor (Fairchild Semiconductor), Alpha & Omega Semiconductor, Infineon Technologies Toshiba and Others. This market study includes data about consumer perspective, comprehensive analysis, statistics, market share, company performances (Stocks), historical analysis 2012 to 2017, market forecast 2018 to 2025 in terms of volume, revenue, YOY growth
Waste to Energy Market Report 2018: Segmentation by Technology (Thermal, Biologi …
Global Waste to Energy market research report provides company profile for Waste Management Inc., Suez Environment S.A., C&G Environmental Protection Holdings, Constructions industrielles de la Mediterranee (CNIM), China Everbright International Limited, Covanta Energy Corporation, Foster Wheeler A.G., Abu Dhabi National Energy Company PJSC and Others. This market study includes data about consumer perspective, comprehensive analysis, statistics, market share, company performances (Stocks), historical analysis 2012 to 2017, market forecast 2018 to
Global Application Management Services Market by Service (Application Portfolio …
Application management services encompass a wide range of implementation and operational services that are vital to application maintenance, optimization, support and modernization, and migration. As the number of applications used and deployed by organizations is increasing continuously, the need to monitor and manage these services for business efficiency and continuity is driving the demand for application services across different industries. Companies today make use of a myriad set of applications