Pax. Mac Team Core member Site: http://conqu3r.paxmac.org/I. backgroundI recently wrote a document for my project and sorted out some testing methods in the Bank's classified protection. Many people think that terminal Hacking technology seems mysterious. In fact, I personally think that terminal Hacking technology relies mostly on luck. The Security Testing Process of the online banking experience machine generally includes front-end security testing, backend security testing, and physical security testing. The design principles of the online banking experience machine are described here. 1. Most online banking experience machines are integrated XP systems that encapsulate IE in a sandbox. The purpose of sandbox design is well understood. 2. Sandbox security machine: enables closed browsers to run securely in a seamless (Full Screen mode) framework.Ii. Front-end security testingThe front-end test of the online banking experience machine: after all, it bypasses the front-end sandbox. Many people think that terminal testing is a mess on the screen. Of course, this practice also meets the test requirements, but it is not limited to this. In many cases, the sandbox design is not fully considered. Here is a simple summary of the latest mainstream online banking experience machines in China that I have tested: in domestic online banking experience machines, the user experience is good and the security is generally poor. On the contrary, the online banking experience is poor, and security enhances its own security to a certain extent. The following provides some bypassing ideas. During the test, all touch-type online banking experience machines are applicable to those with keyboard-type online banking experience machines. 1. Take advantage of the vulnerabilities on the online banking page. For example, during online banking logon, an XSS vulnerability exists somewhere. We can use the XSS and pass through the sandbox to do something. XSS has the same-source browser policy. POC is not provided here for your own consideration. 2. The design defects of online banking in the https communication process are often used, especially in small and medium banks, generally, the process of logon to the online banking system is encrypted. However, many online banking systems are considered problematic by the browser during certificate transmission, and a warning is displayed. 3. Generally, on the online banking logon page, download the usb key driver is provided. This is often the online banking killer. 4. The mail function can sometimes use the mail sending function to browse attachments. Bypass front-end sandbox; 5. USB key design defects. During the USB key design, you can often view your certificate information. At this time, it is likely to have the import function; 6. design defects of the program. Generally, at the beginning of the sandbox design, you only need to click to open the web page, and at the end, you need to send the open command. For example, you can create a new window command on the page, may cause program crash; 7. Online Banking usb key update program. If an expired certificate is used during certificate update, it can be updated in online banking, or some sandboxes can be bypassed; 8. USB interface design defects. during the design of the online banking experience machine, the USB interface is used to verify the last known device. As a result, the USB flash drive or keyboard can be directly used for control. 9. Right-click the device and choose, some online banking and sandbox full screen are perfect. However, when the prompt message appears, the right-click menu is well blocked at the end and can be directly used; 10. The Bois end is encrypted and can be directly used to read the PE system and change the password, many online banking experience machines can be restarted by pressing the button on the back. If the bios is encrypted at the end of the screen, you can use the USB flash drive to do some things. 11. During the boot process, f8. This option is effective in some online banking; 12. keyboard shortcuts; 13. Fn + alt + (a silver) may be pleasantly surprised; multi-key combinations ;... Www.2cto.comIii. backend SecurityBackend security is also an important part in online banking classified protection assessment. The back-end online banking test mainly includes two items: 1. server configuration, 2. server backdoor detection; 1. Some vendors in China generally use the server as a server to facilitate management and upgrade, leave a backdoor. Direct remote control is required. In this case, behavior monitoring should be performed to monitor remote control procedures for computer changes or sensitive operations; 2. Security Configuration of the online banking experience machine and firewall settings, IP policy configuration. Generally, the security configuration should follow the principle of low permissions, and the IP address should not be configured with public network access. 4. Physical Security wiring visibility and device power controllability. This only requires regular detection.