Internet banking (2/3) – Security Testing Handbook for Banking Applications

4: Security Testing Repository
99
o Check if a user can modify the account profile of
another user using parameter manipulation.
o Check if a user can be tricked into modifying their
own profile using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker views the financial statements of other users:
o Check if a user can view another user’s financial
statements using parameter manipulation.
o Check if a user’s session can be stolen by running
scripts and exploiting an XSS flaw.
o Check if a user can manipulate queries to the database
by using SQL injection.
o Check if user’s financial statements can be viewed in
the browser cache.
An attacker modifies own/other user’s financial
statement:
o Check if a user can modify another user’s financial
statement using parameter manipulation. .
o Check if a user can be tricked into modifying their
own financial statement using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker views other user’s card details/history:
o Check if a user can view/modify the card details of
another user using parameter manipulation.
o Check if a user’s session can be stolen by running
scripts and exploiting an XSS flaw.
o Check if a user can manipulate queries to the database
by using SQL injection.
o Check if a user’s card details can be viewed in the
browser cache.
4: Security Testing Repository
100
An attacker views/modifies other user’s certificate
details:
o Check if a user can view/modify certificate details of
other users using parameter manipulation.
o Check if a user can be tricked into modifying their
own certificate details using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
o Check if a user’s certificate details can be viewed in
the browser cache.
An attacker redeems other user’s certificate:
o Check if a user can redeem another user’s certificate
using parameter manipulation.
o Check if a user can be tricked into redeeming their
own certificate using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker redeems certificate multiple times:
o Check if a user can redeem the same certificate many
times using parameter manipulation.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker redeems greater amount than entitled:
o Check if a user can redeem amount greater than
certificate entry using parameter manipulation .
o Check if a user can be tricked into redeeming their
own certificate using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker pays bills using another user’s account:
4: Security Testing Repository
101
o Check if a user can pay their own bills using another
user’s account using parameter manipulation.
o Check if a user can be tricked into paying someone
else’s bills using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker makes bill payment to a non-registered bill
payee:
o Check if a user can add a new bill payee using
parameter manipulation.
o Check if a user can edit registration status using
parameter manipulation .
o Check if a user can be tricked into making a bill
payment of another user using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker transfers funds from others account to their
own account:
o Check if a user can transfer funds from another user’s
account using parameter manipulation.
o Check if a user can be tricked into performing a fund
transfer using a CSRF attack.
o Check if a user’s session can be taken over by
exploiting an XSS flaw.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker transfers amounts beyond the available
balance:
o Check if a user can transfer amounts larger than the
balance using parameter manipulation.
o Check if a user can be tricked into performing a fund
transfer using a CSRF attack.
4: Security Testing Repository
102
o Check if a user can manipulate queries to the database
by using SQL injection.
o Check if a user can bypass browser-side controls and
perform a fund transfer.
An attacker performs pre-dated transaction/payment:
o Check if a user can perform a pre-dated transaction
using parameter manipulation.
o Check if a user can be tricked into performing a pre-
dated transaction using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker performs a transaction without valid
transaction credentials:
o Check if a user can perform a transaction using
parameter manipulation.
o Check if a user can be tricked into performing a
transaction using a CSRF attack.
o Check if a user’s session can be taken over by
exploiting an XSS flaw.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker manipulates transaction/payment amount
and service charges levied for transaction:
o Check if a user can manipulate transaction service
charge using parameter manipulation .
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker performs transaction/payment from and to a
non-existing/invalid account:
o Check if a user can bypass account validation using
parameter manipulation.
4: Security Testing Repository
103
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker modifies the currency during transaction/
payment:
o Check if a user can modify the currency in which
payment is made using parameter manipulation.
o Check if a user can be tricked into making a payment
in a different currency using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker views/adds/modifies beneficiary/payee of
other user’s account:
o Check if a user can view/add/modify payee into
another user’s account using parameter manipulation.
o Check if a user can be tricked into using a CSRF
attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
An attacker views/modifies the pending/scheduled
transaction/payments details of another user:
o Check if a user can view transaction payments of
other users using parameter manipulation.
o Check if a user can manipulate queries to the database
by using SQL injection.
o Check if transaction payment details can be viewed in
the browser cache.
o An attacker views transfer/payment history of other
users.
o Check if a user can view transfer history of another
user using parameter manipulation.
o Check if a user’s session can be taken over by
exploiting an XSS flaw.