Test Cases for Payment Gateway Security Testing

 

ThreatsTest PageTest Name
An adversary can tamper with parameters in HTTP requests and responses to manipulate transactions
Pages between Merchant and Payment Gateway page
Tamper the amount value in request to Payment Gateway
Change the amount as well as its generated hash value with lesser amount and its corresponding hash value.
Change the quantity of the product to a higher value
check if amount value is encoded or encrypted. If encoded, decode the amount, change it and encode it again or replace it with lower value encoded amount.
Change the product (through product id or description) to a higher value product.
Is hash/integrity verification done only on limited parameters?
Any where in siteCheck if sensitive information is being disclosed in error page or source code.
An adversary can manipulate transactions made through a payment gateway
Pages before the payment gatewayChange the amount that is to be paid before the request hits the payment gateway.
Page/Request after the payment information is processed
Edit failed payment responses from the bank to that of a successful payment
Replay the response of a successful transaction
An adversary debits the amount from another user's account during the transactionPage appears after logging in to the Internet Banking accountChange the current account number to some other user's valid account number.
An adversary makes the payment using an incorrect Secure Code/3D Secure Code (or second-level authentication)Second-level authentication page(Secure Code/3D Secure Code or password page)Enter the Secure Code/3D Secure Code (or enter an incorrect password when asked) to complete the transaction.
An adversary makes payments without providing the Secure Code/3D Secure Code (or second-level authentication) for the transactionsPage Request after the payment information is processedTry to complete the transaction without entering the Secure Code/3D Secure Code (or password)
An adversary makes successful transactions using incorrect card details
Pages wherein card details like Card No.,PIN, Expiry date, etc. are entered
Enter the incorrect PIN number and submit the transaction.
Enter the incorrect expiry date and submit the transaction.
An adversary can steal sensitive information
Payment gateway pages
An adversary can steal sensitive information from browser cache.
Is SSL enabled? Try forcing the request over an unencrypted connection.
Back and Refresh attack.
Is Autocomplete = OFF?
An adversary can see sensitive information as cleartext in the browser memory.
Sensitive information is revealed through HTTP responses.
Pay PageCan CVV be seen as cleartext?
Anywhere in the applicationAn adversary can steal sensitive information from the browser history.
Test cases related to the SSL certificate
Payment gateway pages
An invalid SSL certificate is used.
An older version of SSL is used.
Weak SSL ciphers are used.
An adversary can perform Cross-Site ScriptingPayment gateway pagesMalicious scripts can be run on the client's machine using XSS.
Cookie attributes are not set
Payment gateway pages
The HTTPOnly attribute is not set.
The Path attribute is not set.
The Secure attribute is not set.
CAPTCHA can be bypassedPay PagesRemove the CAPTCHA parameter and value from the request.
Pages being accessed directlypay pageIs Pay Page being accessed directly?
An adversary can create transaction status response similar to the response generated by Payment Gateway.Anywhere in the pageIP Validation

Comments

Post a Comment

Popular posts from this blog

File Upload Security Testing Checklists

  Security Checklist Are filenames reflected back on the page? If so, are they HTML Entity encoded (XSS via file names)? Does it accept .zip files? Try a  ZipSlip If it processes an image, check for  Image Tragick (CVE-2016-3714) Can you bypass file type restrictions by changing the content-type value? Can you bypass file type restrictions by  forging valid magic bytes ? Can you upload a file with a less-common extension (such as .phtml)? Try playing with the filename in the request, a potential vector for traversal or SQL injection. Check for the acceptance of double extensions on uploaded files. Test for  null-byte injection . Is the server windows? Try adding a  trailing  .  to bypass extension blacklists , this dot will be removed automatically by the OS. Can you upload an  SVG for XSS ? If supported by the webserver, can you  upload .htaccess files ? Does the backend process the image with the  PHP GD library ? Is the app vulnerable to the  infamous ffmpeg exploit ? Can custom pol
Read more

SAML Security Test Cases

Signature Exclusion Attack -Test whether or not the SP accepts an Assertion without a Signature  Signature Spoofing attack -Test whether SP accepts fake signature or using previously generated/invalid signature Signature Wrapping Attack (8 Different Ways)-Test whether or not the SP is susceptible to Signature Wrapping XML Injection -Test if can inject malicious code into the SAML response from IDP, allowing them to execute arbitrary code on the SP server. XML Entity Expansion (XEE)/XXE -Test whether or not the SP is vulnerable to XML External Entities Replay attacks -Test if previously generated SAML response from IDP can be accepted by SP Certificate Faking/Self signed certificate -Test whether or not the SP verifies that the Assertion came from a trusted IDP/Test if SP accepts self-signed certificate XSLT Injection -Test whether or not the SP is vulnerable to XSLT Predictable signature -Test whether IDP generating guessable signature SAML message expiration -Test whether SP accepts
Read more

Drozer - A Framework for Android Application Security Assessment.

Image
1.             Introduction 1.1   This document explains how to get started with Drozer, and how to use it to perform a security assessment of an android application. 1.1.      Drozer Drozer is a python based comprehensive security audit and attack framework for Android. It is an open-source framework, used for android pen-testing. It works like a client-server model and makes use of Android’s Inter-Process Communication (IPC) mechanism to interact with the underlying operating system of the device. IPC is a mechanism by which different components of android like intents and data binders communicate with each other so that the communication is established between the apps present in the android device. Drozer helps to remotely exploit android devices with predefined and custom modules that exploit known vulnerabilities. 1.2.      Conventions used Throughout this document, command-line examples will use one of two prefixes: dz> indicates that the command shou
Read more