Security audit in the Bank

The goal of the project was to verify if the hacker can penetrate the internal bank network from the outside. The project was conducted in a black-box manner, so access was not provided by the customer. Our pentesters used the most actual and modern techniques to penetrate the customer’s network.


Some security issues which were found:

  • Detailed error message in the internet banking application. This bug facilitated remote code execution of the Spring Expression Language (EL) injection.
  • Remote code execution due the unpatched version of the Spring framework.
  • Direct object reference for the client account payment details (used to conduct a wire transfer). Though the payment details for the wire are public in their nature, the enumeration allowed to identify all bank clients.
  • Know your customer (KYC) routine abuse. The phone number of the client was verified by SMS, however brute-force protection was not implemented, so it was possible to find the right SMS verification code and link the phone number to the customer account.
  • The use of weak TLS cipher suite, which was a violation of PCI-DSS requirements.
This website uses cookies to give you the best experience. Terms & Conditions