Task #12983
Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation
Task #12981: Pentest - L7 - Packet Replay (Fund Transfer)
[IOS] - Pentest - L7 - Packet Replay (Fund Transfer)
Status: | Pending UAT Deployment | Start date: | July 08, 2022 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | PCI DSS - Pentest | Spent time: | - | |
Target version: | - |
Description
During the time of assessment, LGMS security team identified that packet replay for the fund transfer function is possible by reusing the HTTP request packet. As a result, it is possible for a malicious user to perform duplicate transactions consecutively. It is worth noting that by performing packet replay, it may potential causes service interruption if high volume of packet being triggered
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.
Action Plan:
To add JID feature at every transactions
Subtasks
History
#1 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Subject changed from [ANDROID] - Pentest - L7 - Packet Replay (Fund Transfer) to [IOS] - Pentest - L7 - Packet Replay (Fund Transfer)
#2 Updated by Najmi Pasarudin about 2 years ago
Hi Felix and Aina,
I updated Restful with JID using user session in database for Online payment modules.No changes at mobile code.
Please test:
- Own transfer
- Third party transfer
- Interbank transfer
- DuitNow transfer
- RENTAS transfer
- Bill payment
- Jompay
- Authorization for above modules
#3 Updated by Susanto Felix Brilliant about 2 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#4 Updated by Susanto Felix Brilliant about 2 years ago
- Assignee changed from Susanto Felix Brilliant to Bin Hamzah Muhammad Fadhly
#5 Updated by Bin Hamzah Muhammad Fadhly about 2 years ago
- Status changed from Development / Work In Progress to Finished Development
#6 Updated by Bin Hamzah Muhammad Fadhly about 2 years ago
- File Receive JID value.png added
- File Send JID Value.png added
Mobile receives JID value from Confirm's service response and sends back the JID value in Result's service request for checking. The features are done for these modules:
- Own transfer
- Third party transfer
- Interbank transfer
- DuitNow transfer
- RENTAS transfer
- Bill payment
- Loan payment
- Jompay
- Authorization (All 8 modules as above)
#7 Updated by Bin Hamzah Muhammad Fadhly about 2 years ago
- Status changed from Finished Development to Internal Testing
- Assignee changed from Bin Hamzah Muhammad Fadhly to Nurul Athira Abdul Rahim
#8 Updated by Nurul Athira Abdul Rahim about 2 years ago
- Status changed from Internal Testing to System Integration Test
Tested and passed by Mobile team.
#9 Updated by Nurul Athira Abdul Rahim over 1 year ago
- Status changed from System Integration Test to Pending UAT Deployment