Support #12936
[SCP ID :##6250##] : Web Application Pentest Remediation
Status: | Work Completed-End life cycle | Start date: | April 21, 2022 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Zahir Abd Latif | % Done: | 100% | |
Category: | PCI DSS - Pentest | Spent time: | - | |
Target version: | - |
Description
Hi,
Kindly attend below request:-
Web Application Pentest Remediation
Related issues
History
#1 Updated by Najmi Pasarudin over 2 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
#2 Updated by Najmi Pasarudin over 2 years ago
H1 Unencrypted Communications
Finding: LGMS test using app URL instead of web URL http://10.10.95.121:8080/bsn-cdb-uat/* or https://www.bsnebiz.com.my/bsn-cdb/commonLogin
Solution: LGMS need to test using web URL
Test step: Redo the testing using web URL
Finding: jQuery UI 1.12.1 and Highlight JS 9.12.0 are outdated
Solution: Updated jQuery UI 1.13 and removed unused highlight.common.js
Test step:
- Login BSNeBiz in Google Chrome browser
- Access browser console via F12
- At Tab 'Elements', search for jquery-ui. The version should be 1.13.
- Next, search for highlight.common.js. The library should be missing.
- Continue testing by making fund transfer
- Should work as usual
L1-L5 Missing security header
Finding: LGMS test using app URL instead of web URL http://10.10.95.121:8080/bsn-cdb-uat/* or https://www.bsnebiz.com.my/bsn-cdb/commonLogin
Solution: LGMS need to test using web URL
Test step: Redo the testing using web URL
Finding: RENTAS action missing result page for invalid.token
Solution: Fix RENTAS action and result for invalid.token
Test step:
- Login BSNeBiz and make a RENTAS transfer
- At details page, press F12 and select element form
- Find input name="token" and replace the value
- Click Next
- Should get Service Unavailable page
L7 Arbitrary Host Header Accepted
Finding: LGMS test using app URL instead of web URL http://10.10.95.121:8080/bsn-cdb-uat/* or https://www.bsnebiz.com.my/bsn-cdb/commonLogin
Solution: LGMS need to test using web URL
Test step: Redo the testing using web URL
Finding: Same OTP can be used multiple times within timeout
Solution: Updated BSNeBiz to validate previously used OTP
Test step:
- Access BSNeBiz as Single user and make a RENTAS transfer
- Keyin OTP and submit transfer.
- Before OTP timeout, make another RENTAS transfer, keyin OTP and submit transfer
- Should get error invalid OTP
Finding: OTP does not expired after mobile changed OTP after 1 minute. Actual expire time is 5 minutes.
Solution: Updated BSNeBiz OTP timeout time
Test step:
- Access BSNeBiz as Single user and make a RENTAS transfer
- Keyin OTP, wait 1 minute and submit.
- Should get error invalid OTP
#3 Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
- % Done changed from 0 to 90
#4 Updated by Najmi Pasarudin over 2 years ago
#5 Updated by Nurul Athira Abdul Rahim over 2 years ago
- File L8 Test Result.jpg added
- File L9 test result.jpg added
- Status changed from Internal Testing to System Integration Test
Tested and passed
#6 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Category set to PCI DSS - Pentest
#7 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Pending UAT Deployment
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Tested and passed by Firas on 11/5/22
Kindly deploy the fixes to UAT environment
#8 Updated by Najmi Pasarudin over 2 years ago
- File H1 Test result.png added
- File M1 Test result.png added
#9 Updated by Najmi Pasarudin over 2 years ago
- File deleted (
H1 Test result.png)
#10 Updated by Najmi Pasarudin over 2 years ago
- File deleted (
M1 Test result.png)
#11 Updated by Najmi Pasarudin over 2 years ago
- File H1 Test result.png added
- File M1 Test result.png added
Add new H1 and M1 test result.
H1-screenshot from Firefox
M1-screenshot of removed unsecured library
#12 Updated by Najmi Pasarudin about 2 years ago
- Status changed from Pending UAT Deployment to Code Review
#13 Updated by Najmi Pasarudin about 2 years ago
- Status changed from Code Review to New - Begin Life Cycle
#14 Updated by Najmi Pasarudin about 2 years ago
- Status changed from New - Begin Life Cycle to Pending Prod Deployment
#15 Updated by Najmi Pasarudin about 2 years ago
- Status changed from Pending Prod Deployment to Pending Review
- Assignee changed from Najmi Pasarudin to Binti Marobi Athirah Umairah
Production deployed on 26/08/2022
#16 Updated by Binti Marobi Athirah Umairah about 2 years ago
- Status changed from Pending Review to Work Completed-End life cycle
- Assignee changed from Binti Marobi Athirah Umairah to Zahir Abd Latif
- % Done changed from 90 to 100
Migration ID0059