Amazines Free Article Archive
www.amazines.com - Monday, July 07, 2025
Read about the most recent changes and happenings at Amazines.com
Log into your account or register as a new author. Start submitting your articles right now!
Search our database for articles.
Subscribe to receive articles emailed straight to your email account. You may choose multiple categories.
View our newest articles submitted by our authors.
View our most top rated articles rated by our visitors.
* Please note that this is NOT the ARTICLE manager
Add a new EZINE, or manage your EZINE submission.
Add fresh, free web content to your site such as newest articles, web tools, and quotes with a single piece of code!
Home What's New? Submit/Manage Articles Latest Posts Top Rated Article Search
Google
Subscriptions Manage Ezines
CATEGORIES
 Article Archive
 Advertising (133577)
 Advice (161673)
 Affiliate Programs (34799)
 Art and Culture (73858)
 Automotive (145724)
 Blogs (75622)
 Boating (9851)
 Books (17224)
 Buddhism (4130)
 Business (1331054)
 Business News (426461)
 Business Opportunities (366526)
 Camping (10974)
 Career (72796)
 Christianity (15854)
 Collecting (11638)
 Communication (115089)
 Computers (241958)
 Construction (38977)
 Consumer (49954)
 Cooking (17080)
 Copywriting (6734)
 Crafts (18203)
 Cuisine (7549)
 Current Affairs (20323)
 Dating (45910)
 EBooks (19704)
 E-Commerce (48279)
 Education (185536)
 Electronics (83525)
 Email (6438)
 Entertainment (159864)
 Environment (29004)
 Ezine (3040)
 Ezine Publishing (5454)
 Ezine Sites (1551)
 Family & Parenting (111012)
 Fashion & Cosmetics (196613)
 Female Entrepreneurs (11853)
 Feng Shui (134)
 Finance & Investment (310640)
 Fitness (106492)
 Food & Beverages (63058)
 Free Web Resources (7941)
 Gambling (30227)
 Gardening (25207)
 Government (10519)
 Health (630188)
 Hinduism (2206)
 Hobbies (44083)
 Home Business (91753)
 Home Improvement (251309)
 Home Repair (46261)
 Humor (4729)
 Import - Export (5462)
 Insurance (45104)
 Interior Design (29637)
 International Property (3488)
 Internet (191033)
 Internet Marketing (146690)
 Investment (22864)
 Islam (1161)
 Judaism (1352)
 Law (80500)
 Link Popularity (4596)
 Manufacturing (20933)
 Marketing (99328)
 MLM (14140)
 Motivation (18237)
 Music (27000)
 New to the Internet (9498)
 Non-Profit Organizations (4049)
 Online Shopping (129743)
 Organizing (7813)
 Party Ideas (11855)
 Pets (38165)
 Poetry (2229)
 Press Release (12691)
 Public Speaking (5643)
 Publishing (7566)
 Quotes (2407)
 Real Estate (126912)
 Recreation & Leisure (95497)
 Relationships (87678)
 Research (16182)
 Sales (80369)
 Science & Technology (110299)
 Search Engines (23525)
 Self Improvement (153318)
 Seniors (6224)
 Sexuality (36012)
 Small Business (49395)
 Software (83054)
 Spiritual (23537)
 Sports (116156)
 Tax (7664)
 Telecommuting (34070)
 Travel & Tourism (308301)
 UK Property Investment (3123)
 Video Games (13382)
 Web Traffic (11803)
 Website Design (56951)
 Website Promotion (36672)
 World News (1000+)
 Writing (35853)
Author Spotlight
RAM SEWAK

Myself Ram Sewak possessing indepth domain experience of more than 10 years in SEO, SEM, Web Develop...more
LINDA HOLLAND

I am a passionate article and blog writer based in South Africa. With a love for life and a strong d...more
AREESH ISHTIAQ

Areesh Ishtiaq a Top Rated SEO and Digital Marketing Guru on Upwork, working as a project manager fo...more
RAJESH THAPALIYA

I am in Nepalest tourism industery working since 2000 as a trekking porter to the senior tour leader...more
DESIGNPLUZ PTY LTD

Designpluz has steadily matured from a passionate graphics design start-up, into a full service digi...more


Must Know Business Logic Vulnerabilities In Banking Applications by Sam White





Article Author Biography
Must Know Business Logic Vulnerabilities In Banking Applications by
Article Posted: 01/24/2013
Article Views: 51
Articles Written: 16
Word Count: 719
Article Votes: 0
AddThis Social Bookmark Button

Must Know Business Logic Vulnerabilities In Banking Applications


 
Computers
Over the last few years, our On-Demand and Hybrid Penetration Testing platform has performed security testing of applications across various verticals and domains including Banking, e-commerce, Manufacturing, Enterprise Applications, Gaming and so on. On one side, SQL Injection, XSS and CSRF vulnerabilities are still the top classes of vulnerabilities found by our automated scanning system, on the other hand however, there are a lot of business logic vulnerabilities that are often found by our security experts powered by a comprehensive knowledge base.

A business logic vulnerability is defined as security weakness or bug in the functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners.

In this blog we are sharing the top commonly found Business Logic Vulnerabilities in the Virtual Credit Creation (VCC) module of a Banking Application.

Consider the following scenario: A Banking Application provides web based functionality to users to pay Bills Online as well as to create and manage Virtual Credit Cards. Virtual Credit cards are used to shop online. A Virtual Credit Card creation use case involves the following steps: 1. User visits banking application. 2. User opts to create virtual credit card. 3. User fills up personal details, required amount, expiry date of VCC etc. 4. User chooses a payment gateway. 5. User fills up credit / debit card details. 6. Banking Application redirects user to a Payment Gateway. 7. Required amount + Service Charge are debited from user’s Debit / Credit card. 8. Payment Gateway redirects user to a Callback URL provided by the Banking Application. 9. Banking Application verifies the Payment Gateway confirmation. 10. Banking Application generates a CVV number. 11. Banking Application presents VCC details to the user. 12. Banking application performs SMS verification of the user.

A couple of security weaknesses that are found in the above scenario are as follows:

TAMPERING OF DATA COMMUNICATION BETWEEN PAYMENT GATEWAY AND BANKING APPLICATION: Weaknesses: The Banking application does not verify whether the required amount is successfully paid at the Payment Gateway Side, or what amount is being paid at the Payment Gateway Side. As a result, a virtual card can be recharged with higher amount while paying a lower amount to the bank by modifying amount when the request is sent from payment gateway to the bank.

Mitigation: There should be sufficient validations between the Banking application and the payment gateway. The callback URL should not be allowed to be directly controlled by an attacker.

NO VALIDATION ON BANKING APPLICATION’S CALLBACK URL Weakness: There is lack of validation on the Banking Application Side when the Payment Gateway redirects a user to the Banking Application’s callback URL. As a result, a virtual credit card can be created without paying any service charges, by sending the request directly to the callback URL of Payment Gateway.

Mitigation: There should be enough validations on the callback URL including whether the URL is redirected by the Payment Gateway or directly called by an attacker.

VIRTUAL CREDIT NUMBER IS PREDICTABLE Weakness: Generated Virtual Credit card numbers are predictable or follow certain patterns. As a result, an attacker can predict what virtual credit card numbers are being used by other legitimate users.

Mitigation: Virtual Credit Card numbers should be sufficiently random.

NO ANTI-AUTOMATION IN VIRTUAL CREDIT CARD DETAILS VERIFICATION Weakness: There is no anti-automation (e.g. CAPTCHA) while verifying the Virtual Credit Card details such as CVV number and expiry date. The Credit Card number is sufficiently long however, the CVV number is generally a 3 digit number and expiry date is also a 2 digit number. As a result, it is possible to bruteforce the CVV number and expiry date, and shop online using a stolen virtual credit card number.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while verifying the CVV numbers along with the Credit Card Number.

NO ANTI-AUTOMATION IN CARD CREATION PROCESS Weakness: There is no anti-automation while creating a virtual credit card. An attacker can use automated scripts to exhaust credit card numbers. As a result, Credit Card Numbers can be exhausted and be therefore made unavailable to users leading to a Denial of Service (DoS) attack. It can also lead to other attacks including Credit Card Number pattern prediction.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while creating virtual credit card numbers

Related Articles - Web application security, penetration testing, vulnerability testing,

Email this Article to a Friend!

Receive Articles like this one direct to your email box!
Subscribe for free today!

 Rate This Article  
Completely useless, should be removed from directory.
Minimal useful information.
Decent and informative.
Great article, very informative and helpful.
A 'Must Read'.

 

Do you Agree or Disagree? Have a Comment? POST IT!

 Reader Opinions 
Submit your comments and they will be posted here.
Make this comment or to the Author only:
Name:
Email:
*Your email will NOT be posted. This is for administrative purposes only.
Comments: *Your Comments WILL be posted to the AUTHOR ONLY if you select PRIVATE and to this PUBLIC PAGE if you select PUBLIC, so write accordingly.
 
Please enter the code in the image:



 Author Login 
LOGIN
Register for Author Account

 

Advertiser Login

 

ADVERTISE HERE NOW!
   Limited Time $60 Offer!
   90  Days-1.5 Million Views  

 

Great Paranormal Romance


LEVAL AINAH

I am an internet marketer and also an educator. My goal is to help others who are looking to improve...more
STEPHEN BYE

Stephen Bye is a fiction writer. His most recent novels are a 5-book “The Developer” series which be...more
TIM FAY

After 60-plus years of living, I am just trying to pass down some of the information that I have lea...more
STEVERT MCKENZIE

Stevert Mckenzie, Travel Enthusiast. ...more
GENE MYERS

Author of four books and two screenplays; frequent magazine contributor. I have four other books "in...more
ADRIAN JOELE

I have been involved in nutrition and weight management for over 12 years and I like to share my kn...more
LAURA JEEVES

At LeadGenerators, we specialise in content-led Online Marketing Strategies for our clients in the t...more
MICHAEL BRESCIANI

Rev Bresciani is the author of two Christian books. One book is an important and concisely written b...more
PAUL PHILIPS

For more articles, blog messages & videos and a free e-book download go to www.NewParadigm.ws your p...more
ALEX BELSEY

I am the editor of QUAY Magazine, a B2B publication based in the South West of the UK. I am also the...more

HomeLinksAbout UsContact UsTerms of UsePrivacy PolicyFAQResources
Copyright © 2025, All rights reserved.
Some pages may contain portions of text relating to certain topics obtained from wikipedia.org under the GNU FDL license