Internet banking web application penetration testing.....

[8a8a]

Hi all,

I am working on internet banking web application pen-testing, which is using flexcube at back-end.

Couldn't found any common web vulnerabilities/problem.

Wondering if there are any resource/link/case studies for this kind of application/environment, which could be helpful. Not much help from Google.

[41 w4r10r]

Flex is Adobe technology which is using fair amount of Flash scripting. so you might get help from article available around web with name Flash Parameter Injection vulnerability and try those.

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in

[Dhanesh k]

Ahem.. err... Flexcube is a banking product by iFlex, which was acquired by Oracle. If I am not mistaken.

Regards,
Dan

[Manjunath N.G]

check out these links it has  few information on pentesting flex

http://questions.securitytube.net/questions/264/penetration-testing-of-adobe-flash-and-flex-applications
http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf
http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/

Regards

Punter

[Kishor Sonawane]

Can you confirm if its Flexcube or Flex?

Because these are quite different from each other.

Regards,

On Thu, May 26, 2011 at 10:09 AM, 41 w4r10r <41.w...@gmail.com> wrote:

[TAS]

Pretty much. FlexCube us is a core banking suite made by Oracle (formerly iFlex)
http://en.wikipedia.org/wiki/Oracle_Financial_Services_Software

BTW it is a closed source app you wont find any documented
vulnerabilities in the internet domain. At least not some significant
one's

Some early responses created the confusion.

-
TAS
http://twitter.com/p0wnsauc3

[41 w4r10r]

oops my bad i thought its Flex only... :P

Sorry for any confusion

[8a8a]

This what I see in response from server....

> This source is part of the FLEXCUBE@ Java App Server Software System a

Below are the post parameters it use while sends the data to server, very common in most of the online internet banking sites.

fldUserId=xxxx&fldPasswd=xxxx&fldAppId=xxx&fldTxnId=xxxx&fldScrnSeqNbr=xxx

[Kishor Sonawane]

Hey it is FlexCube, the core banking application product from iFlex and now become Oracle' product.

My experience with FlexCube app says you can find some of the vulnerabilities. But yes try hard :)

You may not get much help on internet but treat it as a normal web app with carry on.

I would say you can concentrate on Business Logic vulnerabilities more.

Are you testing only web app part or client-server is also there? If yes let me know. 

Regards,
Keyshor

[8a8a]

Web-App only...

[Kishor Sonawane]

Apart from business logic vulnerabilities you can try for common vulnerabilities (OWASP Top Ten category)

Check for error handling which may lead you for other vulnerabilities. Session / Cookie handling, etc etc.

Regards,
Keyshor

[8a8a]

Thanks but no thanks...  :-).

[TAS]

This brings me to the point, assuming he finds a serious vulnerability
(not related to to the business logic) in the part of application he
is testing, is he allowed to make a responsible disclosure on the
internet. Usually, such applications are not readily available on the
internet for one to download and use (or test). Or is it that the
vendor maintains a bug track type list of the end users to keep a
track of patches that are release for fixing the web app issues.

Like Infosys has Finacle which is similar to Flexcube.

-
TAS
http://twitter.com/p0wnsauc3