Task #12984
Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation
Pentest - L8 - Parameter Tampering (Generate PDF)
| Status: | User Acceptance Test | Start date: | May 10, 2022 | ||
|---|---|---|---|---|---|
| Priority: | Normal | Due date: | |||
| Assignee: |  Binti Marobi Athirah Umairah | % Done: | 90% | ||
| Category: | PCI DSS - Pentest | Spent time: | - | ||
| Target version: | - |
Description
At the time of assessment, LGMS security team identified that it is possible to generate a PDF receipt with tampered values.
Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle attack.
The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks.
Action Plan:
Generate receipt using transaction ID
History
#1
Updated by Najmi Pasarudin over 2 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#2
Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to Pending SIT Deployment
- % Done changed from 0 to 90
#3
Updated by Najmi Pasarudin over 2 years ago
- Status changed from Pending SIT Deployment to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Issue:
Receipt PDF restful parameter can be modified
Finding:
Solution: Generate PDF parameter at middle-service instead of using restful parameter. Was fixed by Wen Hong but not deployed on Production yet.
- Access mobile application
- Make a transaction. IE Own account transfer
- At result page, download receipt
- Expected result, receipt can be downloaded and the data is correct
#4
Updated by Nurul Syahirah Md Nawi over 2 years ago
- File Internal Test Results_SCPID #6249.docx added
- Assignee changed from Nurul Athira Abdul Rahim to Nurul Syahirah Md Nawi
Tested & passed
#5
Updated by Nurul Syahirah Md Nawi over 2 years ago
- Status changed from Internal Testing to System Integration Test
#6
Updated by Nurul Athira Abdul Rahim over 1 year ago
- Status changed from System Integration Test to Pending UAT Deployment
Please deploy this fixes to UAT.
Thanks
#7
Updated by Norhaidah Md Dasuki over 1 year ago
- Status changed from Pending UAT Deployment to User Acceptance Test
- Assignee changed from Nurul Syahirah Md Nawi to Binti Marobi Athirah Umairah