Derivatives trading – Security Testing Handbook for Banking Applications

4: Security Testing Repository
110
An attacker gains unauthorised access to another user’s
profile:
o Check if a user can view another user’s trading
profile using parameter manipulation.
o Check if a user can view profile details of another
user from browser cache/history.
Derivatives trading
A derivatives trading engine is used by investors to trade
financial derivatives. A ‘derivative’ is a financial
instrument that gives the buyer the right to buy or sell an
underlying asset on or before a specified future date. The
main types of derivatives are futures, forwards, options and
swaps.
A ‘futures contract’ is a contract to buy or sell a quantity of
a specified commodity or asset at a specified date in the
future, at a specified price (the ‘futures price’). The future
date is called the ‘delivery date’ or ‘final settlement date’.
The price of the futures contract at the end of a day’s
trading is called the ‘settlement price’ for that day.
A ‘forward contract’ is similar to a futures contract, with
two primary differences: the forward contract is traded over
the counter, whereas futures contracts are traded at an
exchange. Futures are margined, while forwards are not.
‘Options’ are financial instruments that convey the right,
but not the obligation, to do a future transaction on some
underlying security, or in a futures contract. The holder
does not have to exercise this right, unlike a forward or
future.
4: Security Testing Repository
111
A ‘swap’ is a derivative in which two counterparties agree
to exchange one stream of cash flows against another
stream. These streams are called the ‘legs’ of the swap.
The buyer makes profits/losses based on the assets they
buy/sell. The buying and selling of derivatives is very
similar to the trading of shares except that the instrument
traded is a derivative of a primary instrument or underlying
asset.
The underlying assets are of many types – currencies,
goods, energy sources, agricultural produce. The trader
anticipates the value of an asset on a future date and
purchases a desired quantity. The application can assist the
forecast calculation.
Derivatives trading is used for hedging as well as
speculation and arbitrage. Investors who can anticipate
market value of their own/other’s assets after a given period
invest heavily in derivatives. The profit earned from this
can be put to use in development of the other services that
they wish to offer to customers. The stakes clearly are very
high and it is of utmost importance that these systems be
well tested for all possible security flaws.
Threat profile
An attacker changes the value of a pre-fixed rate of
exchange of a specific asset.
An attacker changes the last date of a futures contract.
An attacker changes the last date of a forwards contract.
An attacker changes the profit margin of a particular
deal.
An attacker purchases derivatives without having a
minimum amount available.
4: Security Testing Repository
112
An attacker buys derivatives and pays a lower rate for
them.
An attacker changes the price of an asset in a forward
contract.
An attacker converts a call option contract into a put
option contract.
An attacker changes the interest rate or foreign exchange
rate in a swap deal.
An attacker gains unauthorised access to a seller’s
profile or vice versa.
An attacker views all the deals that another user has
made.
Test plan
An attacker changes the value of a pre-fixed rate of
exchange of a specific asset:
o Check if a user can modify a pre-fixed rate of
exchange using parameter manipulation.
An attacker changes the last date of a futures contract:
o Check if a user can edit the date of a futures contract
using parameter manipulation.
An attacker changes the last date of a forwards contract:
o Check if a user can edit the date of a forwards
contract using parameter manipulation.
An attacker changes the profit margin of a particular
deal:
o Check if a user can change the deal profit margin
using parameter manipulation.
o Check if a user can change profit margin of all deals
using SQL injection.
4: Security Testing Repository
113
An attacker purchases derivatives without having a
minimum amount available:
o Check if a user can bypass minimum amount
limitation using parameter manipulation.
o Check if validations performed at the browser can be
bypassed.
An attacker buys derivatives and pay a lower rate for
them:
o Check if a user can buy derivatives at a lower rate
using parameter manipulation.
An attacker changes the price of an asset in a forward
contract:
o Check if a user can change asset prices using
parameter manipulation.
o Check if a user can change asset prices using SQL
injection.
An attacker converts a call option contract into a put
option contract:
o Check if a user can convert a call option contract into
a put option contract using parameter manipulation.
o Check if a user can change all contract types using
SQL injection.
An attacker changes the interest rate or foreign exchange
rate in a swap deal:
o Check if a user can edit interest or foreign exchange
rate using parameter manipulation.
An attacker gains unauthorised access to a seller’s
profile or vice versa:
o Check if a user can view another user’s profile using
parameter manipulation.