Task #12981

Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation

Pentest - L7 - Packet Replay (Fund Transfer)

Added by Nurul Athira Abdul Rahim over 2 years ago. Updated 4 months ago.

Status:Dropped-End of life cycleStart date:May 10, 2022
Priority:NormalDue date:
Assignee:Najmi Pasarudin% Done:

100%

Category:PCI DSS - PentestSpent time:-
Target version:-

Description

During the time of assessment, LGMS security team identified that packet replay for the fund transfer function is possible by reusing the HTTP request packet. As a result, it is possible for a malicious user to perform duplicate transactions consecutively. It is worth noting that by performing packet replay, it may potential causes service interruption if high volume of packet being triggered

A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.

Solution:
Add JID to user session at database for
  1. Own transfer
  2. Third party transfer
  3. Interbank transfer
  4. DuitNow transfer
  5. RENTAS transfer
  6. Bill payment
  7. Jompay
  8. Authorization for above modules

Internal Test Results_SCPID #6249_Pentest L7.docx (2.06 MB) Nurul Athira Abdul Rahim, July 29, 2022 15:05

Subtasks

Task #12982: [ANDROID] - Pentest - L7 - Packet Replay (Fund Transfer)User Acceptance TestBinti Marobi Athirah Umairah

Task #12983: [IOS] - Pentest - L7 - Packet Replay (Fund Transfer)Pending UAT DeploymentNurul Athira Abdul Rahim

Task #13098: Pass the JID data from Detail Resftful Response to Confir...User Acceptance TestBinti Marobi Athirah Umairah

History

#1 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress

#2 Updated by Najmi Pasarudin about 2 years ago

  • Description updated (diff)

Hi Felix and Aina,

I updated Restful with JID using user session in database for Online payment modules.
No changes at mobile code.
Please test:
  1. Own transfer
  2. Third party transfer
  3. Interbank transfer
  4. DuitNow transfer
  5. RENTAS transfer
  6. Bill payment
  7. Jompay
  8. Authorization for above modules

#3 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from Development / Work In Progress to Internal Testing

#5 Updated by Nurul Athira Abdul Rahim about 2 years ago

  • Status changed from Internal Testing to System Integration Test

#6 Updated by Najmi Pasarudin about 2 years ago

  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim

#7 Updated by Nurul Athira Abdul Rahim over 1 year ago

  • Status changed from System Integration Test to Pending UAT Deployment
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

Please deploy this fixes to UAT.

Thanks

#8 Updated by Najmi Pasarudin 4 months ago

  • Status changed from Pending UAT Deployment to Dropped-End of life cycle

Also available in: Atom PDF