Table of Contents

Introduction 1 The threat landscape 2 Defences employed 3 Goal of the book 5 Chapter 1: Approach to Security Testing 7 Preparing the threat profile 9 Preparing the test plan 12 Chapter 2: Basic Tests and Techniques 17 SQL injection 18 Cross-site scripting (XSS) 20 Cross-site request forgery (CSRF) 21 Directory brute forcing/Searching for defaults 23 Weak authorisations 24 Weak session management 2625 Sensitive data in browser cache 2827 Over-reliance on client-side validation 29 Unencrypted traffic 30 Unhardened database 3130 Weak password policies 32 Poor error-handling mechanisms 3332 Chapter 3: The Tools of the Trade 35 Web applications 35 Thick-client applications 55 Terminal services applications 67 Intercepting Java applets 69 Embedded application 70 Web services application 70 Mobile applications 72 Chapter 4: Security Testing Repository 75 Generic threat profile and test plan 76 Core banking 79 Internet banking 87 Web trading 98 Derivatives trading 103 Credit card payment management applications 107 Debit card management system 112 Mutual funds management 116 Loan management application 120 Cheque management application 125 Overdraft calculator application 130 Adjustments and waivers application 134 Online remittance application 138 Account opening tracker 143142 Back-office trading application 146 Electronic payment switch 149 Cash depositor 153152 Teller automation machines 156155 ATM reconciler application 161160 Balance viewer terminals 165164 Customer care centre application 168167 Interactive voice response system 171170 Fraud detection software 175174 Chapter 5: Emerging Trends 181 Emerging landscape of applications 181 New attacks on the horizon 182 ITG Resources 185

About the Author

Arvind Doraiswamy leads Paladion"s R&D team for Application Security. Arvind has tested 100+ banking applications and continuously refines the techniques used by Paladion to improve the quality of testing. HeThey also contributes to the security testing database at www.vulnerabilityassessment.co.uk. Sangita Pakala is the Project Director for the Application Security practice at Paladion. Sangita is the lead author of the OWASP Application Security FAQ, and co-author of Application Security in the ISO 27001 EnvironmentA" from ITGP. She has been invited to present at the RSA Conference 2006 and ISACA Europe 2005. Nilesh Kapoor is a Project Leader in Paladion"s Application Security Testing team. Nilesh has tested 30+ applications including core banking applications, RTGS and ATM systems. Prashant Verma is a Project Leader in Paladion"s Application Security Testing team. Prashant has tested 30+ applications including Internet banking, fraud monitoring and teller automation applications. Praveen Singh is a senior security engineer in Paladion"s Application Security Testing team. Praveen has tested 30+ applications including payment systems, debit card management systems, loan management applications and core banking applications. Raghu Nair is a senior security engineer in Paladion"s Application Security Testing team. Raghu has tested 30+ applications including credit card management systems, derivatives trading applications and core banking applications. Sangita Pakala is the Project Director for the Application Security practice at Paladion. Sangita is the lead author of the OWASP Application Security FAQ, and co-author of Application Security in the ISO 27001 EnvironmentA" from ITGP. She has been invited to present at the RSA Conference 2006 and ISACA Europe 2005. Shalini Gupta is the Project Manager for Banking and Finance at Paladion. She has tested 100+ banking applications for security in the last three3 years. Her team has tested 400+ banking applications for 30 banks in the last seven7 years.