Task #12981
Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation
Pentest - L7 - Packet Replay (Fund Transfer)
Status: | Dropped-End of life cycle | Start date: | May 10, 2022 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Najmi Pasarudin | % Done: | 100% | |
Category: | PCI DSS - Pentest | Spent time: | - | |
Target version: | - |
Description
During the time of assessment, LGMS security team identified that packet replay for the fund transfer function is possible by reusing the HTTP request packet. As a result, it is possible for a malicious user to perform duplicate transactions consecutively. It is worth noting that by performing packet replay, it may potential causes service interruption if high volume of packet being triggered
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.
Solution:Add JID to user session at database for
- Own transfer
- Third party transfer
- Interbank transfer
- DuitNow transfer
- RENTAS transfer
- Bill payment
- Jompay
- Authorization for above modules
Subtasks
History
#1 Updated by Najmi Pasarudin over 2 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#2 Updated by Najmi Pasarudin about 2 years ago
- Description updated (diff)
Hi Felix and Aina,
I updated Restful with JID using user session in database for Online payment modules.No changes at mobile code.
Please test:
- Own transfer
- Third party transfer
- Interbank transfer
- DuitNow transfer
- RENTAS transfer
- Bill payment
- Jompay
- Authorization for above modules
#3 Updated by Najmi Pasarudin about 2 years ago
- Status changed from Development / Work In Progress to Internal Testing
#4 Updated by Nurul Athira Abdul Rahim about 2 years ago
Tested and passed
#5 Updated by Nurul Athira Abdul Rahim about 2 years ago
- Status changed from Internal Testing to System Integration Test
#6 Updated by Najmi Pasarudin about 2 years ago
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
#7 Updated by Nurul Athira Abdul Rahim over 1 year ago
- Status changed from System Integration Test to Pending UAT Deployment
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Please deploy this fixes to UAT.
Thanks
#8 Updated by Najmi Pasarudin 4 months ago
- Status changed from Pending UAT Deployment to Dropped-End of life cycle