back

Security audit in the Bank

The goal of the project was to verify if the hacker can penetrate the internal bank network from the outside. The project was conducted in a black-box manner, so access was not provided by the customer. Our pentesters used the most actual and modern techniques to penetrate the customer’s network.

HIRE US
back

Some security issues which were found:

  • Detailed error message in the internet banking application. This bug facilitated remote code execution of the Spring Expression Language (EL) injection.
  • Remote code execution due the unpatched version of the Spring framework.
  • Direct object reference for the client account payment details (used to conduct a wire transfer). Though the payment details for the wire are public in their nature, the enumeration allowed to identify all bank clients.
  • Know your customer (KYC) routine abuse. The phone number of the client was verified by SMS, however brute-force protection was not implemented, so it was possible to find the right SMS verification code and link the phone number to the customer account.
  • The use of weak TLS cipher suite, which was a violation of PCI-DSS requirements.

Similar cases

PCI-DSS internal pentest
Incident response
This website uses cookies to give you the best experience. Terms & Conditions