Must Know Business Logic Vulnerabilities In Banking Applications

Over the last few years, our On-Demand and Hybrid Penetration Testing platform has performed security testing of applications across various verticals and domains including Banking, e-commerce, Manufacturing, Enterprise Applications, Gaming and so on. On one side, SQL Injection, XSS and CSRF vulnerabilities are still the top classes of vulnerabilities found by our automated scanning system, on the other hand however, there are a lot of business logic vulnerabilities that are often found by our security experts powered by a comprehensive knowledge base.

A business logic vulnerability is defined as security weakness or bug in the functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners.

In this blog we are sharing the top commonly found Business Logic Vulnerabilities in the Virtual Credit Creation (VCC) module of a Banking Application.

Consider the following scenario: A Banking Application provides web based functionality to users to pay Bills Online as well as to create and manage Virtual Credit Cards. Virtual Credit cards are used to shop online. A Virtual Credit Card creation use case involves the following steps: 1.User visits banking application. 2.User opts to create virtual credit card. 3.User fills up personal details, required amount, expiry date of VCC etc. 4.User chooses a payment gateway. 5.User fills up credit / debit card details. 6.Banking Application redirects user to a Payment Gateway. 7.Required amount + Service Charge are debited from user’s Debit / Credit card. 8.Payment Gateway redirects user to a Callback URL provided by the Banking Application. 9.Banking Application verifies the Payment Gateway confirmation. 10.Banking Application generates a CVV number. 11.Banking Application presents VCC details to the user. 12.Banking application performs SMS verification of the user.

A couple of security weaknesses that are found in the above scenario are as follows:

TAMPERING OF DATA COMMUNICATION BETWEEN PAYMENT GATEWAY AND BANKING APPLICATION: Weaknesses: The Banking application does not verify whether the required amount is successfully paid at the Payment Gateway Side, or what amount is being paid at the Payment Gateway Side. As a result, a virtual card can be recharged with higher amount while paying a lower amount to the bank by modifying amount when the request is sent from payment gateway to the bank.

Mitigation: There should be sufficient validations between the Banking application and the payment gateway. The callback URL should not be allowed to be directly controlled by an attacker.

NO VALIDATION ON BANKING APPLICATION’S CALLBACK URL Weakness: There is lack of validation on the Banking Application Side when the Payment Gateway redirects a user to the Banking Application’s callback URL. As a result, a virtual credit card can be created without paying any service charges, by sending the request directly to the callback URL of Payment Gateway.

Mitigation: There should be enough validations on the callback URL including whether the URL is redirected by the Payment Gateway or directly called by an attacker.

VIRTUAL CREDIT NUMBER IS PREDICTABLE Weakness: Generated Virtual Credit card numbers are predictable or follow certain patterns. As a result, an attacker can predict what virtual credit card numbers are being used by other legitimate users.

Mitigation: Virtual Credit Card numbers should be sufficiently random.

NO ANTI-AUTOMATION IN VIRTUAL CREDIT CARD DETAILS VERIFICATION Weakness: There is no anti-automation (e.g. CAPTCHA) while verifying the Virtual Credit Card details such as CVV number and expiry date. The Credit Card number is sufficiently long however, the CVV number is generally a 3 digit number and expiry date is also a 2 digit number. As a result, it is possible to bruteforce the CVV number and expiry date, and shop online using a stolen virtual credit card number.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while verifying the CVV numbers along with the Credit Card Number.

NO ANTI-AUTOMATION IN CARD CREATION PROCESS Weakness: There is no anti-automation while creating a virtual credit card. An attacker can use automated scripts to exhaust credit card numbers. As a result, Credit Card Numbers can be exhausted and be therefore made unavailable to users leading to a Denial of Service (DoS) attack. It can also lead to other attacks including Credit Card Number pattern prediction.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while creating virtual credit card numbers

What is Virtual Credit Card

A Virtual Credit card is a Prepaid Credit card which enables you to use the online shopping facility in a very easy manner without giving out your private Credit card details with any of the websites offering different stuffs. There are many requirements to get a Credit card in Asian countries like you should have a bank account having a good Cash and if you are a Government employee then only you can apply for a Credit card.

Benefits of Virtual Credit Card

If you are an Asian then this Virtual Credit card enables you to send Funds to various people of the world. Its works as a VISA Card that means you can use it anywhere where in the world where VISA card can be used. This is a virtual credit card so stop bother about its condition and protection. A Virtual Credit card helps you to use the online shopping facility without giving out your credit card details with the shopping websites. You can control the balance on your card.

Why there is a need of Virtual Credit Card

In the today’s century the use of working online is emerging like a rising sun. People all over the world like to work online. Students are doing there all work online but due to some restriction from the online Bank i.e. PayPal. PayPal account holders from Asian countries like India, Pakistan, Nepal, SriLanka are not be able to send money from their PayPal account to other people.

Sometimes while working online you need to send the funds to other person then you need a Virtual Credit card to send Funds. But for a student getting a Virtual Credit card is really a tough work as they are not having monthly salary nor they are having more cash in their accounts. Now what will be the solution for this problem? Credit card is the only way for this problem. You just need Virtual Credit card and use it online for your daily routine or shopping like a real Credit card or a VISA card. A virtual credit card is a credit card that does not originally present. You have particular credit card number, an expired date and a 3 digit CVV code. You do not have a bit of plastic that you can give to a store mercantile.

Enjoy your shopping using Virtual Credit Card, VCC & Facebook VCC.

We are leading service provider for the Virtual Credit Card and Facebook VCC. You can use it at website such as Amazone ,Facebook and etc.