Task #12985

Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation

[SCP ID :##6249##] : Mobile Pentest Remediation - Pentest - L9 - DuitNow Recipient Name Enumeration

Added by Nurul Athira Abdul Rahim over 2 years ago. Updated over 1 year ago.

Status:Internal TestingStart date:May 11, 2022
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

90%

Category:PCI DSS - PentestSpent time:-
Target version:-

Description

DuitNow fund transfers will look up the DuitNow ID and display the recipient's full name to allow the sender to verify and confirm the intended recipient of the transaction. At the time of assessment, the application does not limit the number of DuitNow ID look ups which allow malicious users to enumerate and identify recipient names without performing an actual fund transfer.

Action Plan:
To update middle servie - Add DuitNow validation parameter.

img01.png (186 KB) Najmi Pasarudin, July 05, 2022 08:48

img02.png (110 KB) Najmi Pasarudin, July 05, 2022 08:48

img03.png (110 KB) Najmi Pasarudin, July 05, 2022 08:48

img04.png (112 KB) Najmi Pasarudin, July 05, 2022 08:48

Internal Test Results_SCPID #6249_Pentest_L9 - DuitNow Recipient Name Enumeration.docx (2.18 MB) Binti Marobi Athirah Umairah, March 29, 2023 15:24

History

#1 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress

#2 Updated by Najmi Pasarudin about 2 years ago

  • % Done changed from 0 to 50

#3 Updated by Najmi Pasarudin about 2 years ago

#4 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from Development / Work In Progress to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
  • % Done changed from 50 to 90

Hi Athira,
Please assign mobile testing to Aina and Felix.

Issue:
DuitNow confirm always show Account Holder Name from DuitNow Host. Pentest request to limit the host enquiry.

Solution:
Add DuitNow host enquiry limit to 3 times. It will reset after DuitNow result or Login page.

Test steps:
  1. Access BSNeBiz DuitNow module.
  2. Set Public Bank with account number 5000040430. Can use other valid accounts.
  3. Set Beneficiary Name. Refer img01.png
  4. Click Next. Confirm page shows Account Holder Name and Beneficiary Name from DuitNow host. Refer img02.png. This is 1st host request.
  5. Click Back. Details page shows Beneficiary Name from DuitNow host. Edit it for testing. Refer img03.png.
  6. Click Next. Confirm page shows Account Holder Name and Beneficiary Name from DuitNow host. Refer img02.png. This is 2nd host request.
  7. Click Back. Details page shows Beneficiary Name from DuitNow host. Edit it for testing. Refer img03.png.
  8. Click Next. Confirm page shows Account Holder Name and Beneficiary Name from DuitNow host. Refer img02.png. This is 3rd host request.
  9. Click Back. Details page shows Beneficiary Name from DuitNow host. Edit it for testing. Refer img03.png.
  10. Click Next. Confirm page shows Account Holder Name and Beneficiary Name from Details page. Refer img04.png. This is 4th host request.
  11. Click Confirm on the Confirm page to go to Result page.
  12. Click make another transfer and make another DuitNow transfer.
  13. The host limit should reset and the next confirm page should be like step 4.

#5 Updated by Nurul Athira Abdul Rahim about 2 years ago

pending testing , duit now host problem error 500

#6 Updated by Nurul Athira Abdul Rahim over 1 year ago

Pending testing, rpp host error u171 - online authorization exception

#7 Updated by Najmi Pasarudin over 1 year ago

  • Subject changed from Pentest - L9 - DuitNow Recipient Name Enumeration to [SCP ID :##6249##] : Mobile Pentest Remediation - Pentest - L9 - DuitNow Recipient Name Enumeration

Also available in: Atom PDF