B - Production Support » BSN CDB Support

H1 Unencrypted Communications (Target SIT 25/4/2022)
Channel: None
Issue: Mobile apk is using unsecured connection
Finding: LGMS testing APK using app URL instead of web URL http://10.10.95.121:8080 or https://www.bsnebiz.com.my
Solution:
Penril need to prepare APK using https or LGMS test using Production APK
Due to security issue, UAT https URL cannot be made public
Test step: Redo the testing using web URL Production APK

M1 Insecure Direct Object Reference (IDOR) (Target SIT 25/4/2022)
Channel: Restful, APK Android, APK IOS
Issue: Mobile allows modified account number when making transaction
Finding: Restful does not check the whether the account number belongs to user id
Solution: Remove parameter for linked account. Update code to generate linked account using encrypted user id at middle-service.
Test step:

1. Access mobile application
2. Access Transaction history
3. Check account list. Make sure it is the allowed account set by Corporate Admin.
4. Repeat testing at Details page for Own Account, Loan, Corporate Card, Third Party, Interbank, DuitNow, RENTAS, Bill Payment and Jompay.

L1 Missing Function Level Access Control (MFLAC)
Channel: Restful
Issue: Restful allows Payment and eStatement without password login
Finding: Restful relies on mobile password login popup. LGMS can bypass the popup.
Solution: Add database mobile login status and check at every transaction
Test step:

1. Access mobile application
2. Enter login password
3. Access Payment and Transfer
4. Make Own account transfer
5. Expected result, transfer status is successful/pending approval
6. Repeat testing for Loan, Corporate Card, Third Party, Interbank, DuitNow, RENTAS, Bill Payment and Jompay.

L2 No Server-Side Session Termination
Channel: Restful, APK Android, APK IOS
Issue: Session is not terminated at mobile logout or timeout
Finding:
Solution:
Test step:

L3 Sensitive Information Leaked in Logs (Unintended Data Leakage)
Channel: Restful, APK Android, APK IOS
Issue: Log shows sensitive information such as bearer token, username, address, email, phone no, transaction details, bank account details, encrypted/hashed password
Finding:
Solution:
Test step:

L4 Missing Certificate/ Public Key Pinning
Finding:
Solution:
Test step:

L5 Application Backgrounding (Unintended Data Leakage)
Channel: APK IOS
Issue: IOS can screenshot BSN application
Finding: Previously has been fixed, need to check on IOS version
Solution:
Test step:

L6 Local Biometric Authentication Bypass
Channel: Restful
Issue: Related to L1
Finding:
Solution:
Test step:

L7 Packet Replay (Fund Transfer)
Channel: Restful
Issue: Similar transaction can be replicated by LGMS tool
Finding:
Solution: Add database JID to each transaction similar to RENTAS
Test step:

L8 Parameter Tampering (Generate PDF)
Channel: Restful, APK Android, APK IOS
Issue: Receipt PDF restful parameter can be modified
Finding:
Solution: Generate PDF parameter at middle-service instead of using restful parameter. Was fixed by Wen Hong but not deployed on Production yet.
Test step:

L9 DuitNow Recipient Name Enumeration
Channel: Restful
Issue: Restful allow Duitnow ID lookup without limit
Finding:
Solution: Add database Duitnow ID lookup limit
Test step:

L10 Circumvention of Workflow (OTP Bypass)
Channel: Restful, APK Android, APK IOS
Issue: OTP restful parameter can be modified to false to bypass OTP requirement
Finding:
Solution:
Test step:

L11 Android Application Supports Cleartext Traffic
Channel: APK Android
Issue:
Finding:
Solution:
Test step:

L12 Overly Permissive Permission
Channel: APK Android, APK IOS
Issue:
Finding:
Solution:
Test step:

L13 App Transport Security (ATS) Exception Found
Channel: APK IOS
Issue:
Finding:
Solution:
Test step:

I1 Application Allows Use of Third-Party Keyboards
Issue:
Finding:
Solution:
Test step:

I2 Application Screenshot (Unintended Data Leakage)
Issue:
Finding:
Solution:
Test step: