[Original] "imperfect development software package" for chinabank security vulnerabilities in Online Banking"
Http://www.chinabank.com.cn/index/index.shtml
Digress: The latest job in the new company plans the entire test team and process construction. Because the company uses outlook2003 for internal communication, it is very annoying to use the outlook spam filter function, more than 1000 of spam mails are sent every day, and the problem is solved only after the Shangguan patches it. In this case, the website security test may also have similar problems, so this article is available:
Website Security Testing is particularly important. The author of this article introduces "Cross-Site Scripting injection for yeepay Website Security Testing vulnerabilities" in an example. The specific address is as follows:
Addresses: http://bbs.51testing.com/thread-113784-1-1.html
Or: The test blog of the fish selling barbecue: Success!
Today, I want to talk about another security test, "imperfect development software package". In other words, the software version is too low and has its own security vulnerabilities, however, this type of software is used in the project"
Http://www.chinabank.com.cn/index/index.shtml to illustrate this problem:
The author of this article has verified that the online software development kit has the following problems:
PHP/4.4.2 this version has possible code execution, SQL injection ,...
Apache/2.0.58 the official website provides an attacker may exploit this issue to trigger a denial-of-service condition. Reportedly, arbitrary code execution may also be possible.
According to the author of this article, some other vulnerabilities in online banking are as follows:
Invalid link: •/gateway/about_us/2006/20060225 .shtml
•/Gateway/about_us/Company/news/2006/2006/20061116.shtml
•/Gateway/about_us/Company/news/2007/jinbihe/scripts/ac_runactivecontent.js
•/Gateway/CSS/index.css
•/Gateway/link.shtml
•/Gateway/gtime/200803 month/2008-3-19.html
•/Gateway/International/demo.shtml
•/Gateway/International/demo_1.shtml
•/Gateway/register/index.shtml
•/Gateway/RMB _card/cardtype.shtml
•/Gateway/security.shtml
•/Mall/Lipin. asp (get proid = LP01)
•/Mall/Lipin. asp (get proid = LP02)
•/Mall/Lipin. asp (get proid = lp03)
•/Wuyouxing. jsp (get v_mid = 1509) // you may not be clear about what we used to do before. If it is convenient for online operation testing, delete it.
It is hoped that the website will find that the electronic payment security is very important and do not leave the vulnerability ^_^