Adjustments and waivers application – Security Testing Handbook for Banking Applications

4: Security Testing Repository
141
o Check if a user can view sensitive reports using
parameter manipulation.
o Check if privileged data can be accessed without
logging into the application.
o Check if sensitive reports are visible in the browser
cache/history.
Adjustments and waivers application
The funds adjustments and waivers application is a very
niche application used by banks to manage and analyse
adjustments and waivers. Before we look at the features of
this application let’s set the background for this application.
Banks provide many services to transfer funds from one
customer to another. The transactions can be electronic –
such as Internet and mobile banking, ATM traffic, phone
banking – or could be a customer visiting a branch to
withdraw or deposit funds into their account where a teller
assists them. The customers could be retail or corporate
customers.
There are times when the bank for some reason,
accidentally credits more money to a customer account
while performing a transaction. This error is noticed at a
later date either by a bank employee or by the customer.
When the bank employee detects the error, the bank
contacts the customer requesting to waive or adjust the
extra funds. When the customer detects it, they might
approach the bank to waive the extra funds. That’s one
example of adjustments and waivers.
A second scenario where waivers are relevant – and more
common – is when a customer calls the bank requesting
4: Security Testing Repository
142
that a penalty be waived. The late fee for a credit card
payment is an example.
Waivers and adjustments are more common than one might
assume. So the bank reviews these adjustments and waivers
to find out the reason for the error and rectify the problem
so it does not recur. The adjustments and waivers
application is the centre piece of tracking and managing
waivers. This application keeps track of each and every
such case so that it can help in root-cause analysis of the
problem at a later date.
Branch employees initiate cases for waivers and
adjustments. They enter details of the customer and the
transaction as part of the case. Higher privileged users have
the authority to approve or reject the requests for waivers
and adjustments. They cite the reason for approving or
rejecting the case.
The output from this system is integrated with other
banking modules – the credit card payment management
system and core banking system – as this data is directly
relevant to those systems too.
The application generates reports for the various types of
adjustments and waivers performed over various time
periods. It helps management understand the patterns in the
waivers to derive the root cause.
Threat profile
An attacker waives late fees on loan repayments or credit
card payments of users.
An attacker waives service charges for new features
subscribed to by the user.
4: Security Testing Repository
143
An attacker views the case details of other users –
especially those of the branch manager.
An attacker modifies the details of the amount to be
debited from the customer’s account before the
synchronisation of application data with core banking.
An attacker adds fake records to the fund adjuster in the
absence of an incorrect transaction.
An attacker enters a waived record and approves it
themself.
An attacker waives a record without entering a reason
for the same.
An attacker modifies the details of a waived record to
prevent root-cause analysis.
An attacker downloads audit trail or case detail reports
without authentication.
Test plan
An attacker waives late fees on loan repayments or credit
card payments of users:
o Check if a user can waive fees using parameter
manipulation.
o Check if a user can change payment date using
parameter manipulation.
An attacker waives service charges for new features
subscribed to by the user:
o Check if a user can subscribe another user to new
features using parameter manipulation.
o Check if a user can waive service charges using
parameter manipulation.
An attacker views the case details of other users –
especially those of the branch manager:
4: Security Testing Repository
144
o Check if a user can view case details of others using
parameter manipulation.
o Check if a user can escalate privileges using
parameter manipulation.
o Check if privileged data can be accessed without
logging into the application.
o Check if the case details are visible in browser
cache/history.
An attacker modifies the details of the amount to be
debited from the customer’s account before the
synchronisation of application data with core banking:
o Check if a user can modify debit amount details using
parameter manipulation.
An attacker adds fake records to the fund adjuster in the
absence of an incorrect transaction:
o Check if a user can escalate privileges using
parameter manipulation.
o Check if a user can add fake records by manipulating
SQL queries.
o Check if a user can be tricked into adding a fake
record using a CSRF attack.
An attacker enters a waived record and approves it
themself:
o Check if a user can escalate privileges using SQL
injection.
o Check if a user can approve a created record using
parameter manipulation.
An attacker waives a record without entering a reason
for the same:
o Check if a user can bypass entering a reason using
parameter manipulation.