Tuesday, October 17, 2017

FinTech, Mobile Applications and Vulnerabilities

Reverse Engineering: Applications published on Google Play or Apple App Store can be reverse engineered by malicious users and create similar applications. Companies can lose their intellectual property.
Insecure Data Storage: FinTech related applications save sensitive data like personally identifiable information (PII), card data (PCI), health information etc. Sensitive personal information saved on mobile should be encrypted.
SSL Pinning bypass: SSL Pinning will
One Time Password: OTP is used as second level of authentication.
OTP Spamming: OTP Spamming is requesting an API/URL which generates OTP by spoofing mobile number to victims phone number. If there is no proper validation, attacker can send many OTP SMS’s to victim phone
OTP Bypass:
-       Modifying checks: OTP validation can be bypassed by modifying checks in the request payload or URI parameters
-       Bypassing SS7
-       Malicious mobile apps sniffing OTP’s

All OWASP Top 10 or SANS Top 25 Vulnerabilities will be applicable.
- Cross Site Scripting (XSS): If the input values from user is not validated it might lead to java script execution vulnerabilities which might lead to cookie theft, redirection to malicious websites, DDoS attacks on other sites etc..
- SQL Injection: Improper input validation might lead to SQL Injection.
Privilege Escalation: If the authorization is not enforced properly, one user can access other users data.
- Authentication bypass
            SQL Injection
            Session ID Guessing
            Cookie values
- Command Execution: Improper input validation might lead to OS command execution
- Serialization/Deserialization: Data interpreted as code because of improper validation. This might lead to code execution in Java, PHP, Python
- WAF Bypass
- Ratelimiting Issues
            Important API’s
            Forgot/Reset Password
            Login page
            Other important/sensitive API’s
- XXE (XML External Entity) Attack
- SSRF (Server Side Request Forgery)
- JSON Injection
- DoS/DDoS (Layer 3, Layer 4 and Layer 7 attacks)

- Public S3 buckets: Will have files
- Public EBS Volumes: Might have sensitive information like SSH Keys, Server Keys, passwords etc.
- No Multi Factor Authentication (MFA, 2FA) to AWS
- Root logins
- Token Disclosure

Crypto Currency based exploitation in future
Sub-domain takeover
Vulnerabilities in protocols

Vulnerabilities in Hardware