Security issues in Thai Banking sites.
Banking is for me the most exciting to audit, seriously! I’d even do it for free! How many times I heard can you hack this guy account and steal his money. Yes we can, but what’s the point? It’s more interesting to get focus on the source itself, online banking sounds in the mind of most people like a very safe mix of complex IT systems with hordes of admin watching every single packets transfered, well reality way far from this and pretty scary. Let’s have a look at top Thai online Banking site.
First of all this NOT a hacking attempt on thai online banking but a basic overview of the security level. No human or animal where hurt, no intrusion into the system. We’ll use the Sans Top 20 vulnerabilities for web applications:
- PHP Remote File Include: PHP is the most common web application language and framework in use today. By default, PHP allows file functions to access resources on the Internet using a feature called “allow_url_fopen”. When PHP scripts allow user input to influence file names, remote file inclusion can be the result. This attack allows (but is not limited to):
- Remote code execution
- Remote root kit installation
- On Windows, complete system compromise may be possible through the use of PHPās SMB file wrappers
- SQL Injection: Injections, particularly SQL injections, are common in web applications. Injections are possible due to intermingling of user supplied data within dynamic queries or within poorly constructed stored procedures. SQL injections allow attackers:
- To create, read, update, or delete any arbitrary data available to the application
- In the worst case scenario, to completely compromise the database system and systems around it
- Cross-Site Scripting (XSS): Cross site scripting, better known as XSS, is the most pernicious and easily found web application security issue. XSS allows attackers to deface web sites, insert hostile content, conduct phishing attacks, take over the userās browser using JavaScript malware, and force users to conduct commands not of their own choosing – an attack known as cross-site request forgeries, better known as CSRF.
- Cross-site request forgeries (CSRF): CSRF forces legitimate users to execute commands without their consent. This type of attack is extremely hard to prevent unless the application is free of cross-site scripting vectors, including DOM injections. With the rise of Ajax techniques, and better knowledge of how to properly exploit XSS attacks, CSRF attacks are becoming extremely sophisticated, both as an active individual attack and as automated worms, such as theĀ Samy MySpace Worm.
How to start? Wikipedia is our friend, let’s focus on the top 10:
| Rank | Name | Total Asset |
|---|---|---|
| 1 | Bangkok Bank | US$ 47.5 billion |
| 2 | Krungthai Bank | US$ 38.1 billion |
| 3 | Siam Commercial Bank | US$ 34.3 billion |
| 4 | Kasikorn Bank | US$ 30.8 billion |
| 5 | TMB Bank | US$ 25.7 billion |
| 6 | Bank of Ayudhya | US$ 21.2 billion |
| 7 | Kiatnakin Bank | US$ 18.1 billion |
| 8 | Siam City Bank | US$ 13.5 billion |
| 9 | Thanachart Bank | US$ 8.4 billion |
| 10 | Bank Thai | US$ 8.2 billion |
I assume that even the lowest bank with US $8.2 billion can afford decents security admins?
- Bank Thai: The site is running Microsoft IIS. Let’s focus on the search engine just to see if the admin had the good idea of indexing intranet or extranet data:
Just an excel file with few juicy informations such asĀ internal server on line 9 and 14. Another search on the keyword “extranet” will bring in the result the following file: C2C_SpecificationD11.
An nice documents who have been created by external IT company with recommendations, internal architecture and even sample code of the system.
I wonder if those document should be available to the public…Once again no hacking attempt was done, just using the search engine on the website.
Now what about SQL injection? You that little ‘ or * that can do magic when sending special http request:
Houston we have a problem here… Microsoft .NET Framework Version:1.1.4322.2407; ASP.NET Version:1.1.4322.2407 is of course vulnerable, and we also know that the site is runnig on f:\BOTWebsite.
To summarize the situation Bank of Thailand failed to pass a 2 minutes test and could be compromised with very little efforts by hackers.
2-Thanachart Bank: The site is running Microsoft IIS (AGAIN!?), the site passed the basic tests.
3-Siam City Bank: The site is running Microsoft IIS (AGAIN!?), the search engine index is pretty tight are restricted to only little content. ASP page block and reset the connection if you try any injection.Ā The site passed the basic tests.
4-Kiatnakin Bank: Guest what microsoft IIS…A mix ofĀ ASP and PHP script that look solid. No injection founded on the main site, the main cncern is about the invasion of massive flash menu that could be interesting.
5-Bank of Ayudhya: IIS in frontal ASP/PHP scripts, search engine have solid index limited to basic content.
6- TMB Bank: finally a site on Unix on Apache, wait…Solaris sorry. Iplanet. I really hate banking site full of flash. Anyway the login page to online banking have a major SQL problem:
Looks like we have some J2E here. Quiet funny because the main pages don’t have sql injection problems only the online banking page!
TMB failed to pass the tests.
7-Kasikorn Bank:Ā Running IBM http server, random SID for the url. The site passed the security tests.
8-Siam commercial bank: Apache server and shtml, old school but solid. Some asp but the site is secure. The site passed the test successfully.
9-Krungthai Bank: Unknow webserver, pure flash interface with some J2E, annoying but secure. The site passed the test successfully.
10-Bangkok Bank: The number one bank of Thailand, Unknow webserver. Static pages in html. The site passed the test successfully.
Conclusion:
More than 2/3 of the Online Banking sites tested are “secured” which insufficient. Once gain none of those tests DID NOT used any intrusive softwares just a simple web browser. It doesn’t mean they are 100% secure, it would be illegal to use port scanning, brute force and other exploration techniques to check the level of security. Some information provided like partition where the site is hosted can be valuable when it comes to penetration testing. I didn’t find any XSS as described previously. One the most interesting part of an audit would be on the network site. Which ports are open and filtered. The mail gateway where not checked also, but it’s very commun to see bank workstation with msn installed or some games.
The security concern should be took as a global approach not only a webserver, or a database, or a mail gateway or a proxy. Security isn’t not a software it’s a process.
To summarize the situation of Thai banking system, better than talks a picture:
DSL modem, with a tag and the ip, connected to a 24 ports Cisco switch connected to the ATM…
November 20th, 2010 at 12:59 pm
Security issues is also prevail in Bangladeshi Banking sites. But they are trying hard to resolve it.