The threat landscape – Security Testing Handbook for Banking Applications

Introduction
13
The threat landscape
Gone are the days when having a complex password was all
the security you required – an attack solely based on
guessing passwords by brute force is a thing of the past.
Now attackers are much more sophisticated and resort to
more complex attack techniques. SQL injection, cross-site
scripting and variable manipulation are some of the attacks
in their armoury today. The attackers’ motives could range
from stealing money from a user’s online bank account to
bringing down the critical servers of a bank.
The SQL injection technique, for instance, can be used to
implement many of these attacks. Most applications use
SQL databases to store data. The application takes input
from the user and forms an SQL query to retrieve or modify
data in the database. The attacker enters a carefully crafted
input which changes the underlying SQL query and
manipulates the data in the database. Attackers can add,
delete or modify important records like user names,
banking account numbers, loan applications, etc. with this
technique.
Cross-site scripting is another popular attack with criminals
today. In a typical cross-site scripting attack, a user is
tricked into visiting a malicious page which steals sensitive
information like the user’s credentials.
An attack to which many applications in our experience are
vulnerable is variable manipulation. A special tool called a
web proxy editor is used to intercept the data travelling
from the client to the web server. The intercepted data can
then be modified before forwarding it. This lets an attacker
realise a lot of critical threats – siphoning off funds from a
user’s bank account, viewing user’s credit card details and