Showing posts from July, 2017

Logical Authentication Bypass Vulnerability

28th September 2015 morning I received an Email from my colleague, Email says to perform aPenetration TestonAndroid Applicationof aBankcalled"ABC"(For security reasons not disclosing the name of the Application). Time limit was short as I have to complete the test & report in 2 days. So I looked for Critical vulnerability. One day passed & I checked for maximum Injections & Session managements vulnerability but there was no luck.
After giving some thought to the application I lose hope & started making report suddenly I my eye have a glimpse of Authentication Request that was going to Server.
Now, for understanding the request you have to understand the login functionality of the application. So developers of this app was trying to be smart as they were asking for Password & Memorable Keyword at the time of registration, for access your account in the app using some security policy like : 1.At least 8 characters password. 2.Password must contain One Upper Let…