Common Security Issues in Financially-Oriented Web Applications
Today it is often hard to find individuals who have not purchased something online or used online financial services. Online services offer ease of use and provide other value-add properties such as loyalty card schemes to attract and retain customers, thus ensuring market competiveness. Creating new online commercial services is imperative for most organisations, but has to be done in a safe and secure manner to meet client, regulatory, and legal expectations. E-commerce applications, due to
the value of the products and services they offer, are valuable targets for threat actors who are looking for financial gain or wish to damage a company’s brand or reputation.
Despite every attempt to remain secure, financial services make up 35% of all data breaches, earning it the unfortunate title of the most-breached sector. These events remind both business leaders and consumers of the tenuous nature of cyber security. Are you prepared to face these top cyber security threats to financial services?
In 2015, NCC Group released document summarised their experience of assessing e-commerce and financial services applications, providing a checklist of common security issues seen in financial services web
The whitepaper discusses the commonly-seen security issues that NCC Group has found over the last fifteen years of performing security assessments of real e-commerce and financial service web applications. The resulting checklist can be used as an additional tool for penetration testers when assessing e-commerce applications. They are:
- Time-of-Check-Time-of-Use (TOCTOU) and Race Condition Issues
- Parameter Manipulation
- Replay Attacks (Capture-Replay)
- Rounding Errors
- Numerical Processing
- Card Number-Related Issues
- Dynamic Prices, Prices with Tolerance, or Referral Schemes
- Discount Codes, Vouchers, Offers, Reward Points, and Gift Cards
- Cryptography Issues
- Downloadable and Virtual Goods
- Hidden and Insecure Backend APIs
- Using Test Data in Production Environment
- Currency Arbitrage in Deposit/Buy and Withdrawal/Refund
These attack methods can also be used against other similar applications such as betting and gambling applications, or other financial services platforms.
In addition to the items which were discussed in this research, web applications should also be tested for common vulnerabilities to ensure comprehensive coverage. Organisations such as OWASP provide good advice on what to cover, and how to gain this coverage.
It is clear that while there are common factors in all web applications, understanding the supporting business process and thus specific threats is imperative in order to tease out certain vulnerabilities. It is for this reason that today humans can provide a more complete picture than automated tooling alone. In the future we can expect approaches such as expert systems to go some way to make up this ground, however today certain vulnerability classes, and thus threats, can only reliably be discovered by humans and manual tests within dynamic application environments.
For more information about the document, please download here.