Task #12974: [ANDROID] - Pentest - L2 No Server-Side Session Termination - BSN CDB Support - Penril Support System

Task #12974

Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation

Task #12972: Pentest - L2 No Server-Side Session Termination

[ANDROID] - Pentest - L2 No Server-Side Session Termination

Added by Nurul Athira Abdul Rahim over 2 years ago. Updated over 1 year ago.

Status:

User Acceptance Test

Start date:

May 10, 2022

Priority:

Normal

Due date:

Assignee:

Binti Marobi Athirah Umairah

% Done:

100%

Category:

PCI DSS - Pentest

Spent time:

Target version:

Description

At the time of assessment, LGMS security team identified that it is possible to access password protected functions using only biometric authentication.

The mobile application does not protect functions properly. In some cases, function level protection is managed via configuration, and the system is misconfigured. In others, developers must include the proper code checks, but may potentially overlook it.

When an attacker claims to have a given identity, the application does not prove or insufficiently proves that the identity is correct. Such flaws allow attackers to access unauthorized functionality. Administrative functions are usually key targets for this type of attack.

Action Plan:
To check on session table
(Table : bib user security)

logout1.PNG (55.1 KB) Rahmat Aina Nadia, July 18, 2022 10:16

logout2.PNG (88 KB) Rahmat Aina Nadia, July 18, 2022 10:16

History

#1 Updated by Najmi Pasarudin over 2 years ago

Hi Aina,

I added IBLogoutServices/Logout. Please set requestBean header as usual.
Call IBLogoutServices/Logout at mobile logout and timeout.

#2 Updated by Rahmat Aina Nadia about 2 years ago

Status changed from New - Begin Life Cycle to Development / Work In Progress
% Done changed from 0 to 70

#3 Updated by Rahmat Aina Nadia about 2 years ago

Status changed from Development / Work In Progress to Finished Development
% Done changed from 70 to 100

#4 Updated by Rahmat Aina Nadia about 2 years ago

File logout1.PNG added
File logout2.PNG added

mobile integrated new logout services, calling logout API IBLogoutServices/Logout when logged out, timeout, and remove user.

#5 Updated by Rahmat Aina Nadia about 2 years ago

Status changed from Finished Development to Internal Testing
Assignee changed from Rahmat Aina Nadia to Nurul Athira Abdul Rahim

#6 Updated by Binti Marobi Athirah Umairah about 2 years ago

Tested and passed

#7 Updated by Binti Marobi Athirah Umairah about 2 years ago

Status changed from Internal Testing to System Integration Test

#8 Updated by Nurul Athira Abdul Rahim over 1 year ago

Status changed from System Integration Test to Pending UAT Deployment
Assignee changed from Nurul Athira Abdul Rahim to Rahmat Aina Nadia

Please deploy this fixes to UAT.

Thanks

#9 Updated by Rahmat Aina Nadia over 1 year ago

Status changed from Pending UAT Deployment to User Acceptance Test
Assignee changed from Rahmat Aina Nadia to Binti Marobi Athirah Umairah

Hi Umai,

kindly refer to the link below for the UAT APK. The APK link in the google sheet is also updated.

https://drive.google.com/file/d/1IaK9xpXygbTlXJWvJZZxvToz1U_Gamqi/view?usp=share_link

Also available in: Atom PDF

B - Production Support » BSN CDB Support

Issues