Task #12581
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_CDB - Usable Previously Requested OTP [LOW]
Status: | Closed - End of life cycle | Start date: | November 09, 2021 | ||
---|---|---|---|---|---|
Priority: | Normal | Due date: | |||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 90% | ||
Category: | Penetration Test Issue | Spent time: | - | ||
Target version: | - |
Description
During the application test, LGMS team observed that the old OTPs can be reused. This will increase the chances of an attacker to guess the valid OTP and process the transaction.
After the current OTP has been used for login or transaction, it is still available to be used for the next attempt of login or transaction as tested.
solution provided by LGMS :
'It is recommended to invalidate the old OTP once user has used it, or when a new OTP has been generated.
'Affected Module and URL:
[Login]
https://10.10.55.34:9444/bsn-cdb-uat/bib101_ibPortalLogin.action
[Transfer - Submit OTP]
https://10.10.55.34:9444/bsn-cdb-uat/ib104_ibInterbankTransferResults.action
[Payment - Submit OTP]
https://10.10.55.34:9444/bsn-cdb-uat/ib105_ibBillPaymentResults.action
[Bulk Payment File Upload - Submit OTP]
https://10.10.55.34:9444/bsn-cdb-uat/ib127_ibAutoCreditFileUploadResults.action
[LHDN File Upload - Submit OTP]
https://10.10.55.34:9444/bsn-cdb-uat/ib132_ibStatutoryBodyLHDNFileUploadResults.action
Tested by QA :
Currently : Within 60s can use OTP twice.
Expectation : TO expired the otp to one usage.
Related issues
History
#1 Updated by Aditya Prathama almost 3 years ago
- Status changed from New - Begin Life Cycle to Internal Testing
- Assignee changed from Aditya Prathama to Nurul Athira Abdul Rahim
BSNeBiz Soft token already have duration set to token valid until 5 mins. Because BSNeBiz soft token is time base cryptographic token that required to have time sync between client and server, the setting 5 mins is for supporting 5 min difference buffer to able to validating token
#2 Updated by Aditya Prathama almost 3 years ago
- % Done changed from 0 to 100
#3 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from Internal Testing to System Integration Test
JTM to be discuss with user
#4 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#5 Updated by Najmi Pasarudin over 2 years ago
- % Done changed from 100 to 90
Based on Adit's feedback, the OTP library provided by Mr.Lee has 5 minutes buffer.
Currently unable to update due to limited access to OTP library.
It is possible to add new column for previously used OTP.
#6 Updated by Najmi Pasarudin over 2 years ago
Got update from Mr.Lee.
Working on updating the OTP parameter in Upass.
#7 Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Fixed in 12936
#8 Updated by Nurul Athira Abdul Rahim 7 months ago
- Status changed from Internal Testing to Closed - End of life cycle
Closed for this and refer new 2023/2024 pentest report