Tuesday, October 17, 2017

FinTech, Mobile Applications and Vulnerabilities




MOBILE APPLICATION VULNERABILITIES
Reverse Engineering: Applications published on Google Play or Apple App Store can be reverse engineered by malicious users and create similar applications. Companies can lose their intellectual property.
Insecure Data Storage: FinTech related applications save sensitive data like personally identifiable information (PII), card data (PCI), health information etc. Sensitive personal information saved on mobile should be encrypted.
SSL Pinning bypass: SSL Pinning will
One Time Password: OTP is used as second level of authentication.
OTP Spamming: OTP Spamming is requesting an API/URL which generates OTP by spoofing mobile number to victims phone number. If there is no proper validation, attacker can send many OTP SMS’s to victim phone
OTP Bypass:
-       Modifying checks: OTP validation can be bypassed by modifying checks in the request payload or URI parameters
-       Bypassing SS7
-       Malicious mobile apps sniffing OTP’s

WEB APPLICATION VULNERABILITIES
All OWASP Top 10 or SANS Top 25 Vulnerabilities will be applicable.
- Cross Site Scripting (XSS): If the input values from user is not validated it might lead to java script execution vulnerabilities which might lead to cookie theft, redirection to malicious websites, DDoS attacks on other sites etc..
- SQL Injection: Improper input validation might lead to SQL Injection.
Privilege Escalation: If the authorization is not enforced properly, one user can access other users data.
- Authentication bypass
            SQL Injection
            Session ID Guessing
            Cookie values
- Command Execution: Improper input validation might lead to OS command execution
- Serialization/Deserialization: Data interpreted as code because of improper validation. This might lead to code execution in Java, PHP, Python
- CSRF
- WAF Bypass
- Ratelimiting Issues
            Important API’s
            Forgot/Reset Password
            Login page
            Other important/sensitive API’s
- XXE (XML External Entity) Attack
- SSRF (Server Side Request Forgery)
- JSON Injection
- DoS/DDoS (Layer 3, Layer 4 and Layer 7 attacks)

AWS INFRA
- Public S3 buckets: Will have files
- Public EBS Volumes: Might have sensitive information like SSH Keys, Server Keys, passwords etc.
- No Multi Factor Authentication (MFA, 2FA) to AWS
- Root logins
- Token Disclosure
            Slack
            Git

MISCELLANEOUS       
Crypto Currency based exploitation in future
Sub-domain takeover
Vulnerabilities in protocols

-->
Vulnerabilities in Hardware

2 comments:



  1. ☑️☑️COMPOSITE CYBER SECURITY SPECIALISTS ☑️☑️

    •• Are you Seeking for the Best Legit Professional Hackers online?
    Congratulations Your search ends right here with us. •• ⚡️⚡️

    ☑️☑️For Years Now We have Been helping companies secure there Infrastructures against malicious Attacks, however private individuals have been making use of our services to provide Optimum solutions to their cyber and Hacking related Issues by providing them unlimited Access to their desired informations from their Target such as Phone Hack (Which enables them to monitor their kids/wife/husband/boyfriend/girlfriend, by gaining access to everything they are doing on their phone without their notice), Credit Card Mishaps, Website Hacking, Funds Recoveries And Every Other Cyber Related Issues That has to Do With HACKING.

    ☑️☑️COMPOSITE CYBER SECURITY SPECIALISTS is a vibrant squad of dedicated online hackers maintaining the highest standards and unparalleled professionalism in every aspect.
    We Are One Of The Leading Hack Teams In The United States With So Much Accolades From The Deep Web And IT Companies. ••
    ••We Offer Varieties Of LEGIT Hacking Services With the Help Of Our Root HackTools, Special HackTools and Our Technical Hacking Strategies Which Surpasses All Other Hackers.

    ☑️ Below Is A Full List Of Our Services:
    ▪️ FUNDS RECOVERY ON SCAM INVESTMENTS, BINARY OPTIONS TRADING and ALL TYPES OF SCAMS.
    ▪️ WEBSITE AND DATABASE HACKING πŸ’»
    ▪️ CREDIT REPAIR. πŸ’³
    ▪️ PHONE HACKING & CLONING (giving you πŸ“± Unnoticeable access to everything Happening on the Target’s Phone)
    ▪️ CLEARING OF CRIMINAL RECORDS ❌
    ▪️ SOCIAL MEDIA ACCOUNTS HACKING πŸ“±
    ▪️RECOVERY OF DELETED FILES πŸ“€
    ▪️LOCATION TRACKING πŸ“Œ
    ▪️BITCOIN MINING ⛏ And lot More.


    ☑️We have a team of seasoned PROFESSIONALS under various skillsets when it comes to online hacking services. Our company in fact houses a separate group of specialists who are productively focussed and established authorities in different platforms. They hail from a proven track record and have cracked even the toughest of barriers to intrude and capture all relevant data needed by our Clients. Some Of These Specialist Includes ⭐️ DAWID CZAGAN⭐️ JACK CABLE ⭐️ SEAN MELIA ⭐️ ARNE SWINNEN ⭐️And More. All you Need To do is To Write us a Mail Then We’ll Assign any of These Hackers To You Instantly.

    ☑️COMPOSITE CYBER SECURITY SPECIALISTS is available for customer care 24/7. Feel Free to Place your Requests.

    ☑️☑️CONTACT:
    ••• Email:
    composite.cybersecurity@protonmail.com

    πŸ”˜2020 © composite cybersecurity specialists
    πŸ”˜Want faster service? Contact us!
    πŸ”˜All Rights Reserved ®️.

    ReplyDelete
  2. I got information from your article which I will be sharing with my friends who will need this information. I will suggest reading this article because it will really help those who need this information about fintech. Thanks for the information which you have shared here. oracle fusion scm online training

    ReplyDelete