Support #12936

[SCP ID :##6250##] : Web Application Pentest Remediation

Added by Zahir Abd Latif over 2 years ago. Updated about 2 years ago.

Status:Work Completed-End life cycleStart date:April 21, 2022
Priority:NormalDue date:
Assignee:Zahir Abd Latif% Done:

100%

Category:PCI DSS - PentestSpent time:-
Target version:-

Description

Hi,
Kindly attend below request:-

Web Application Pentest Remediation

2021 BSN CDB Front End Portal (Rentas Module) Web Application Penetration Test Quick Results -v1.0.xlsx (4.19 MB) Zahir Abd Latif, April 21, 2022 16:04

H1.png (121 KB) Najmi Pasarudin, April 22, 2022 12:27

M1.png (37.6 KB) Najmi Pasarudin, April 22, 2022 12:27

L1.png (81.1 KB) Najmi Pasarudin, April 22, 2022 12:27

L5.png (29.6 KB) Najmi Pasarudin, April 22, 2022 12:27

L6.png (70.5 KB) Najmi Pasarudin, April 22, 2022 12:27

L8 Test Result.jpg (246 KB) Nurul Athira Abdul Rahim, April 22, 2022 13:05

L9 test result.jpg (248 KB) Nurul Athira Abdul Rahim, April 22, 2022 13:05

H1 Test result.png (52 KB) Najmi Pasarudin, May 12, 2022 14:12

M1 Test result.png (86.4 KB) Najmi Pasarudin, May 12, 2022 14:12

Related issues

Related to BSN Corporate Digital Banking - Task #12581: Pentest_CDB - Usable Previously Requested OTP [LOW] Closed - End of life cycle November 09, 2021
Related to BSN Corporate Digital Banking - Task #12580: Pentest_CDB - [POTENTIAL] Malicious File Upload [LOW] Rejected - End of life cycle November 09, 2021

History

#1 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

#2 Updated by Najmi Pasarudin over 2 years ago

H1 Unencrypted Communications
Finding: LGMS test using app URL instead of web URL http://10.10.95.121:8080/bsn-cdb-uat/* or https://www.bsnebiz.com.my/bsn-cdb/commonLogin
Solution: LGMS need to test using web URL
Test step: Redo the testing using web URL

M1 Using Components with Known Vulnerabilities
Finding: jQuery UI 1.12.1 and Highlight JS 9.12.0 are outdated
Solution: Updated jQuery UI 1.13 and removed unused highlight.common.js
Test step:
  1. Login BSNeBiz in Google Chrome browser
  2. Access browser console via F12
  3. At Tab 'Elements', search for jquery-ui. The version should be 1.13.
  4. Next, search for highlight.common.js. The library should be missing.
  5. Continue testing by making fund transfer
  6. Should work as usual

L1-L5 Missing security header
Finding: LGMS test using app URL instead of web URL http://10.10.95.121:8080/bsn-cdb-uat/* or https://www.bsnebiz.com.my/bsn-cdb/commonLogin
Solution: LGMS need to test using web URL
Test step: Redo the testing using web URL

L6 Application Error
Finding: RENTAS action missing result page for invalid.token
Solution: Fix RENTAS action and result for invalid.token
Test step:
  1. Login BSNeBiz and make a RENTAS transfer
  2. At details page, press F12 and select element form
  3. Find input name="token" and replace the value
  4. Click Next
  5. Should get Service Unavailable page

L7 Arbitrary Host Header Accepted
Finding: LGMS test using app URL instead of web URL http://10.10.95.121:8080/bsn-cdb-uat/* or https://www.bsnebiz.com.my/bsn-cdb/commonLogin
Solution: LGMS need to test using web URL
Test step: Redo the testing using web URL

L8 Usable Previously Requested TAC
Finding: Same OTP can be used multiple times within timeout
Solution: Updated BSNeBiz to validate previously used OTP
Test step:
  1. Access BSNeBiz as Single user and make a RENTAS transfer
  2. Keyin OTP and submit transfer.
  3. Before OTP timeout, make another RENTAS transfer, keyin OTP and submit transfer
  4. Should get error invalid OTP
L9 Unprocessed Transaction Does Not Expire
Finding: OTP does not expired after mobile changed OTP after 1 minute. Actual expire time is 5 minutes.
Solution: Updated BSNeBiz OTP timeout time
Test step:
  1. Access BSNeBiz as Single user and make a RENTAS transfer
  2. Keyin OTP, wait 1 minute and submit.
  3. Should get error invalid OTP

#3 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from Development / Work In Progress to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
  • % Done changed from 0 to 90

#4 Updated by Najmi Pasarudin over 2 years ago

#5 Updated by Nurul Athira Abdul Rahim over 2 years ago

Tested and passed

#6 Updated by Nurul Athira Abdul Rahim over 2 years ago

  • Category set to PCI DSS - Pentest

#7 Updated by Nurul Athira Abdul Rahim over 2 years ago

  • Status changed from System Integration Test to Pending UAT Deployment
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

Tested and passed by Firas on 11/5/22

Kindly deploy the fixes to UAT environment

#8 Updated by Najmi Pasarudin over 2 years ago

  • File H1 Test result.png added
  • File M1 Test result.png added

#9 Updated by Najmi Pasarudin over 2 years ago

  • File deleted (H1 Test result.png)

#10 Updated by Najmi Pasarudin over 2 years ago

  • File deleted (M1 Test result.png)

#11 Updated by Najmi Pasarudin over 2 years ago

Add new H1 and M1 test result.

H1-screenshot from Firefox
M1-screenshot of removed unsecured library

#12 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from Pending UAT Deployment to Code Review

#13 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from Code Review to New - Begin Life Cycle

#14 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from New - Begin Life Cycle to Pending Prod Deployment

#15 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from Pending Prod Deployment to Pending Review
  • Assignee changed from Najmi Pasarudin to Binti Marobi Athirah Umairah

Production deployed on 26/08/2022

#16 Updated by Binti Marobi Athirah Umairah about 2 years ago

  • Status changed from Pending Review to Work Completed-End life cycle
  • Assignee changed from Binti Marobi Athirah Umairah to Zahir Abd Latif
  • % Done changed from 90 to 100

Migration ID0059

Also available in: Atom PDF