Task #12973

Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation

Task #12972: Pentest - L2 No Server-Side Session Termination

[IOS] Pentest - L2 No Server-Side Session Termination

Added by Nurul Athira Abdul Rahim over 2 years ago. Updated over 1 year ago.

Status:User Acceptance TestStart date:May 10, 2022
Priority:NormalDue date:
Assignee:Binti Marobi Athirah Umairah% Done:

100%

Category:PCI DSS - PentestSpent time:-
Target version:-

Description

At the time of assessment, LGMS security team identified that it is possible to access password protected functions using only biometric authentication.

The mobile application does not protect functions properly. In some cases, function level protection is managed via configuration, and the system is misconfigured. In others, developers must include the proper code checks, but may potentially overlook it.

When an attacker claims to have a given identity, the application does not prove or insufficiently proves that the identity is correct. Such flaws allow attackers to access unauthorized functionality. Administrative functions are usually key targets for this type of attack.

Action Plan:
To check on session table
(Table : bib user security)

2021 BSN CDB eBiz Mobile Application Penetration Test Quick Results-v1.0 (1) (UPDATED 210422).xlsx (3.19 MB) Nurul Athira Abdul Rahim, May 10, 2022 16:18

CallingLogoutService.jpg (169 KB) Susanto Felix Brilliant, July 18, 2022 11:40

LogoutService.jpg (184 KB) Susanto Felix Brilliant, July 18, 2022 11:40

History

#1 Updated by Najmi Pasarudin over 2 years ago

Hi Felix,

I added IBLogoutServices/Logout. Please set requestBean header as usual.
Call IBLogoutServices/Logout at mobile logout and timeout.

#2 Updated by Susanto Felix Brilliant about 2 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress
  • % Done changed from 0 to 80

#3 Updated by Susanto Felix Brilliant about 2 years ago

  • % Done changed from 80 to 100

#4 Updated by Susanto Felix Brilliant about 2 years ago

  • Status changed from Development / Work In Progress to Finished Development

#5 Updated by Susanto Felix Brilliant about 2 years ago

Integrated new logout services, calling logout API IBLogoutServices/Logout when logged out, timeout, and remove account, delete device.

#6 Updated by Susanto Felix Brilliant about 2 years ago

  • Status changed from Finished Development to Internal Testing
  • Assignee changed from Susanto Felix Brilliant to Nurul Athira Abdul Rahim

#7 Updated by Nurul Athira Abdul Rahim about 2 years ago

  • Status changed from Internal Testing to System Integration Test

#8 Updated by Nurul Athira Abdul Rahim over 1 year ago

  • Status changed from System Integration Test to Pending UAT Deployment

Please deploy this fixes to UAT.

Thanks

#9 Updated by Nurul Athira Abdul Rahim over 1 year ago

  • Assignee changed from Nurul Athira Abdul Rahim to Susanto Felix Brilliant

#10 Updated by Susanto Felix Brilliant over 1 year ago

  • Status changed from Pending UAT Deployment to User Acceptance Test
  • Assignee changed from Susanto Felix Brilliant to Binti Marobi Athirah Umairah

Done deployed to UAT and provided link to download.

version 3.3.1 build 341 Internal BSN
https://testflight.apple.com/join/GVdD3RT2

version 3.3.1 build 340 VPN Penril
https://testflight.apple.com/join/CdjMcH3f

Also available in: Atom PDF