Web trading – Security Testing Handbook for Banking Applications

4: Security Testing Repository
105
o Check if a user can manipulate queries to the database
by using SQL injection.
Web trading
Online trading has extended the reach of the stock market
from the broker’s office to the home. The bank’s clients can
now purchase and sell stocks from the convenience of their
homes. The convenience comes with its attendant insecurity
of course.
Most online trading applications provide an essential set of
functions to clients:
They allow clients to buy and sell different types of
securities.
They let clients allocate a portion of their funds from
their banking accounts to a trading account.
They let clients schedule their orders to buy or sell.
They allow clients to set simple buy/sell triggers that are
activated when a desired price is met.
The more sophisticated systems allow more advanced
features too:
They let clients define complex conditions to trigger
buy/sell decisions.
They let clients define automated strategies for stopping
losses or going aggressive.
They allow cross-currency trades and trades across two
markets.
Online trading is used by the bank’s clients from their
homes, offices and shared computers. These users vary
widely in age, sophistication and education. These factors
increase the nature of threats the trading application has to
4: Security Testing Repository
106
contend with – insecure terminals with keystroke loggers,
phishing and other social engineering attacks.
The security features that can be adopted are still
constrained by the need for extreme simplicity to use the
application, and additionally the need for speed. Security
defences that do not meet those criteria will not make the
cut.
These applications are characterised by extreme
fluctuations in load, high uptime during trading hours and
quick response during trading hours. SSL accelerators and
load-balanced web servers and application servers are
common elements of the architecture – they improve
performance and availability.
The application’s attacker might have a trading account
with which to buy and sell assets; in extreme cases, the
attacker might not even have an account in the bank.
Threat profile
An attacker buys shares at a lower price than it is
currently selling at.
An attacker modifies the number of shares they own
without actually buying any.
An attacker modifies the schedules that a user has set for
buying/selling funds.
An attacker changes the buy/sell threshold value set by a
user for specific transactions.
An attacker views/modifies the order book of another
user.
An attacker modifies their own allocation using funds of
other users.
4: Security Testing Repository
107
An attacker modifies the limit up to which a user builds
margin positions.
An attacker views unit holdings/portfolios of another
user.
An attacker buys mutual funds on behalf of another user.
An attacker buys complex securities on behalf of another
user.
An attacker tricks a user into buying shares they don’t
want using phishing.
An attacker creates an automated strategy on behalf of
another user.
An attacker modifies user-created systematic investment
plans (SIPs).
An attacker redeems mutual funds on behalf of another
user.
An attacker modifies dividend reinvestment options of
another user.
An attacker gains unauthorised access to another user’s
trading profile.
Test plan
An attacker buys shares at a lower price than it is
currently selling at:
o Check if a user can manipulate requests and buy
shares at a lower price using parameter manipulation.
An attacker modifies the number of shares they own
without actually buying any:
o Check if a user can modify number of shares they
have using parameter manipulation.
o Check if a user can gain unauthorised access using
SQL injection.
4: Security Testing Repository
108
An attacker modifies the schedules that a user has set for
buying/selling funds:
o Check if a user can modify schedules using parameter
manipulation.
An attacker changes the buy/sell threshold value set by a
user for specific transactions:
o Check if a user can modify threshold value using
parameter manipulation.
An attacker views/modifies the order book of another
user:
o Check if a user can view the order book of another
user using parameter manipulation.
An attacker modifies own allocation using funds of other
users:
o Check if a user can modify allocation funds using
parameter manipulation.
o Check if a user can gain unauthorised access and
modify funds of all users using SQL injection.
An attacker modifies the limit up to which a user can
build margin positions:
o Check if a user can modify margin position limit
using parameter manipulation.
An attacker views unit holdings/portfolios of another
user:
o Check if a user can view unit holdings of other users
using parameter manipulation.
o Check if privileged data can be accessed without
logging into the application.
o Check if the user can view unit holdings of a user in
the browser cache/history.
4: Security Testing Repository
109
An attacker buys mutual funds on behalf of another user:
o Check if a user can buy mutual funds using another
user’s funds using parameter manipulation.
o Check if a user can be tricked into buying mutual
funds using a CSRF attack.
An attacker buys complex securities on behalf of another
user:
o Check if a user can buy complex security with
another user’s funds using parameter manipulation.
o Check if a user can be tricked into buying complex
securities using a CSRF attack.
An attacker tricks a user into buying shares they don’t
want using phishing:
o Check if a user’s session can be hijacked by
embedding an XSS script and sending them a link.
An attacker creates an automated strategy on behalf of
another user:
o Check if a user can create a strategy for another user
using parameter manipulation.
An attacker modifies user-created SIPs:
o Check if a user can modify user-created SIPs using
parameter manipulation.
An attacker redeems mutual funds on behalf of another
user:
o Check if a user can redeem another user’s mutual
funds using parameter manipulation.
An attacker modifies dividend reinvestment options of
another user:
o Check if a user can modify dividend options using
parameter manipulation.