Task #12983

Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation

Task #12981: Pentest - L7 - Packet Replay (Fund Transfer)

[IOS] - Pentest - L7 - Packet Replay (Fund Transfer)

Added by Nurul Athira Abdul Rahim over 2 years ago. Updated over 1 year ago.

Status:Pending UAT DeploymentStart date:July 08, 2022
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

100%

Category:PCI DSS - PentestSpent time:-
Target version:-

Description

During the time of assessment, LGMS security team identified that packet replay for the fund transfer function is possible by reusing the HTTP request packet. As a result, it is possible for a malicious user to perform duplicate transactions consecutively. It is worth noting that by performing packet replay, it may potential causes service interruption if high volume of packet being triggered

A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.

Action Plan:
To add JID feature at every transactions

Receive JID value.png (224 KB) Bin Hamzah Muhammad Fadhly , July 18, 2022 12:38

Send JID Value.png (247 KB) Bin Hamzah Muhammad Fadhly , July 18, 2022 12:38

Subtasks

Task #13098: Pass the JID data from Detail Resftful Response to Confir...User Acceptance TestBinti Marobi Athirah Umairah

History

#1 Updated by Nurul Athira Abdul Rahim over 2 years ago

  • Subject changed from [ANDROID] - Pentest - L7 - Packet Replay (Fund Transfer) to [IOS] - Pentest - L7 - Packet Replay (Fund Transfer)

#2 Updated by Najmi Pasarudin about 2 years ago

Hi Felix and Aina,

I updated Restful with JID using user session in database for Online payment modules.
No changes at mobile code.
Please test:
  1. Own transfer
  2. Third party transfer
  3. Interbank transfer
  4. DuitNow transfer
  5. RENTAS transfer
  6. Bill payment
  7. Jompay
  8. Authorization for above modules

#3 Updated by Susanto Felix Brilliant about 2 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress

#4 Updated by Susanto Felix Brilliant about 2 years ago

  • Assignee changed from Susanto Felix Brilliant to Bin Hamzah Muhammad Fadhly

#5 Updated by Bin Hamzah Muhammad Fadhly about 2 years ago

  • Status changed from Development / Work In Progress to Finished Development

#6 Updated by Bin Hamzah Muhammad Fadhly about 2 years ago

Mobile receives JID value from Confirm's service response and sends back the JID value in Result's service request for checking. The features are done for these modules:
- Own transfer
- Third party transfer
- Interbank transfer
- DuitNow transfer
- RENTAS transfer
- Bill payment
- Loan payment
- Jompay
- Authorization (All 8 modules as above)

#7 Updated by Bin Hamzah Muhammad Fadhly about 2 years ago

  • Status changed from Finished Development to Internal Testing
  • Assignee changed from Bin Hamzah Muhammad Fadhly to Nurul Athira Abdul Rahim

#8 Updated by Nurul Athira Abdul Rahim about 2 years ago

  • Status changed from Internal Testing to System Integration Test

Tested and passed by Mobile team.

#9 Updated by Nurul Athira Abdul Rahim over 1 year ago

  • Status changed from System Integration Test to Pending UAT Deployment

Also available in: Atom PDF