Website pentest for a bank

Use case

Securing your financial information

Ukatemi Technologies

09/23/2021

Background

Nowadays banking applications provide more features alongside ordinary use cases. These features aim to make the banking process easier, more customer-friendly, and consume less time, the range of the feature set is wide (portfolio management, currency change, bill payment, etc…) yet there is always a demand for growth. The banks try to meet the demands of the customers as much as possible, while also focusing on the security aspects of the application, however, due to the strict deadlines the security may become a low priority task. During this project, we worked for one of the biggest banks in Hungary (250 000+ customers). We were tasked to test the security aspects of their new banking application and its whole feature set.¬†

 

Potential losses

Financial information is considered the most valuable and sensitive type of information. If the information falls in the wrong hands it can cause the collapse of companies. Even if it affects just a few users of the application, the consequences still are severe. These applications have to avoid vulnerabilities at all costs, however, the pressure coming from the customers and the requirements of user experience shifts the focus from security to the development of new features while maintaining usability.

 

Our solution

We carried out the penetration test of the entire application, starting with black-box testing, then moved to the gray-box approach to test more sophisticated cases. We walked through the functionalities of the application while focusing on identifying user inputs, mapping execution paths and monitoring reflected inputs. During the testing, we found critical vulnerabilities, which can be used to hijack the control of arbitrary bank account (money transfer, limit modification, render the application unusable). During a single week, we identified these vulnerabilities, reported them to the customer and we even recommended solutions that can mitigate the vulnerabilities.