Task #12982
Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation
Task #12981: Pentest - L7 - Packet Replay (Fund Transfer)
[ANDROID] - Pentest - L7 - Packet Replay (Fund Transfer)
| Status: | User Acceptance Test | Start date: | May 10, 2022 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Binti Marobi Athirah Umairah | % Done: | 100% | |
| Category: | PCI DSS - Pentest | Spent time: | - | |
| Target version: | - |
Description
During the time of assessment, LGMS security team identified that packet replay for the fund transfer function is possible by reusing the HTTP request packet. As a result, it is possible for a malicious user to perform duplicate transactions consecutively. It is worth noting that by performing packet replay, it may potential causes service interruption if high volume of packet being triggered
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.
Action Plan:
To add JID feature at every transactions
History
#1
Updated by Najmi Pasarudin about 2 years ago
Hi Felix and Aina,
I updated Restful with JID using user session in database for Online payment modules.No changes at mobile code.
Please test:
- Own transfer
- Third party transfer
- Interbank transfer
- DuitNow transfer
- RENTAS transfer
- Bill payment
- Jompay
- Authorization for above modules
#2
Updated by Rahmat Aina Nadia about 2 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#3
Updated by Rahmat Aina Nadia about 2 years ago
- Assignee changed from Rahmat Aina Nadia to MUHAMMAD IHSAN
#4
Updated by Rahmat Aina Nadia about 2 years ago
Ihsan is currently mapping the JID for the modules listed.
#5
Updated by MUHAMMAD IHSAN about 2 years ago
- Status changed from Development / Work In Progress to Finished Development
- % Done changed from 0 to 100
#6
Updated by MUHAMMAD IHSAN about 2 years ago
- % Done changed from 100 to 90
#7
Updated by Rahmat Aina Nadia about 2 years ago
- File JIDheader.PNG added
- File setJID.PNG added
#8
Updated by Rahmat Aina Nadia about 2 years ago
mobile set jid value from confirm service response and send back jid in the header for result service request for these modules.
- Own transfer
- Third party transfer
- Interbank transfer
- DuitNow transfer
- RENTAS transfer
- Bill payment
- Jompay
- authorization
#9
Updated by Rahmat Aina Nadia about 2 years ago
- Status changed from Finished Development to Internal Testing
- Assignee changed from MUHAMMAD IHSAN to Nurul Athira Abdul Rahim
- % Done changed from 90 to 100
Hi Athira,
kindly refer to the link below for the latest SIT APK.
https://drive.google.com/file/d/1KWCE1pQTL6bqS6naPTCkSoXLSsp7zkfX/view?usp=sharing
#10
Updated by Binti Marobi Athirah Umairah about 2 years ago
- Status changed from Internal Testing to System Integration Test
Tested & passed
#11
Updated by Rahmat Aina Nadia about 2 years ago
- File CaptureJID_example.PNG added
#12
Updated by Nurul Athira Abdul Rahim over 1 year ago
- Status changed from System Integration Test to Pending UAT Deployment
- Assignee changed from Nurul Athira Abdul Rahim to Rahmat Aina Nadia
Please deploy this fixes to UAT.
Thanks
#13
Updated by Rahmat Aina Nadia over 1 year ago
- Status changed from Pending UAT Deployment to User Acceptance Test
- Assignee changed from Rahmat Aina Nadia to Binti Marobi Athirah Umairah
Hi Umai,
kindly refer to the link below for the UAT APK. The APK link in the google sheet is also updated.
https://drive.google.com/file/d/1IaK9xpXygbTlXJWvJZZxvToz1U_Gamqi/view?usp=share_link