You are previewing Security Testing Handbook for Banking Applications.
O'Reilly logo
Security Testing Handbook for Banking Applications

Book Description

Security Testing Handbook for Banking Applications is a specialised guide to testing a wide range of banking applications. The book is intended as a companion to security professionals, software developers and QA professionals who work with banking applications.

Table of Contents

  1. FOREWORD
  2. ABOUT THE AUTHORS
  3. CONTENTS
  4. INTRODUCTION
    1. The threat landscape
    2. Defences employed
    3. Goal of the book
  5. CHAPTER 1: APPROACH TO SECURITY TESTING
    1. Preparing the threat profile
    2. Preparing the test plan
  6. CHAPTER 2: BASIC TESTS AND TECHNIQUES
    1. SQL injection
      1. Solution
    2. Cross-site scripting (XSS)
      1. Solution
    3. Cross-site request forgery (CSRF)
      1. Solution
    4. Directory brute forcing/Searching for defaults
      1. Solution
    5. Weak authorisations
      1. Solution
    6. Weak session management
      1. Solution
    7. Sensitive data in browser cache
      1. Solution
    8. Over-reliance on client-side validation
      1. Solution
    9. Unencrypted traffic
      1. Solution
    10. Unhardened database
      1. Solution
    11. Weak password policies
      1. Solution
    12. Poor error-handling mechanisms
      1. Solution
  7. CHAPTER 3: THE TOOLS OF THE TRADE
    1. Web applications
      1. RoboForm
      2. Burp Intruder
      3. CSRFTester
      4. Paros Proxy
      5. WebScarab
      6. SwitchProxy
      7. Tamper Data
      8. Add n Edit Cookies
      9. Burp Comparer
      10. Burp Decoder
      11. Winhex
      12. Firefox (about:cache)
      13. IE Temporary Internet Files
      14. Browser history
      15. JSView
      16. Firebug
      17. DirBuster
      18. THCSSLCheck
    2. Thick-client applications
      1. Interactive TCP Relay
      2. Echo Mirage
      3. WPE Pro
      4. TCPView
      5. Wireshark
      6. Filemon
      7. Regmon
      8. IDA Pro
      9. DLHell
      10. Decompilers
    3. Terminal services applications
    4. Intercepting Java applets
    5. Embedded application
    6. Web services application
      1. WSDigger
    7. Mobile applications
  8. CHAPTER 4: SECURITY TESTING REPOSITORY
    1. Generic threat profile and test plan
      1. Generic threat profile
      2. Generic test plan
    2. Core banking
      1. Threat profile
      2. Test plan
    3. Internet banking
      1. Threat profile
        1. Threats related to personal details
        2. Threats related to account and account details
        3. Threats related to statement
        4. Threats related to cards
        5. Threats related to investments
        6. Threats related to bill payment
        7. Threats related to fund transfers and transactions/ payments
        8. Threats related to mail/messages
      2. Test plan
    4. Web trading
      1. Threat profile
      2. Test plan
    5. Derivatives trading
      1. Threat profile
      2. Test plan
    6. Credit card payment management applications
      1. Threat profile
      2. Test plan
    7. Debit card management system
      1. Threat profile
      2. Test plan
    8. Mutual funds management
      1. Threat profile
      2. Test plan
    9. Loan management application
      1. Threat profile
      2. Test plan
    10. Cheque management application
      1. Threat profile
      2. Test plan
    11. Overdraft calculator application
      1. Threat profile
      2. Test plan
    12. Adjustments and waivers application
      1. Threat profile
      2. Test plan
    13. Online remittance application
      1. Threat profile
      2. Test plan
    14. Account opening tracker
      1. Threat profile
      2. Test plan
    15. Back-office trading application
      1. Threat profile
      2. Test plan
    16. Electronic payment switch
      1. Threat profile
      2. Test plan
    17. Cash depositor
      1. Threat profile
      2. Test plan
    18. Teller automation machines
      1. Threat profile
      2. Test plan
    19. ATM reconciler application
      1. Threat profile
      2. Test plan
    20. Balance viewer terminals
      1. Threat profile
      2. Test plan
    21. Customer care centre application
      1. Threat profile
      2. Test plan
    22. Interactive voice response system
      1. Threat profile
      2. Test plan
    23. Fraud detection software
      1. Threat profile
      2. Test plan
  9. CHAPTER 5: EMERGING TRENDS
    1. Emerging landscape of applications
    2. New attacks on the horizon
  10. ITG RESOURCES
    1. Pocket Guides
    2. Toolkits
    3. Best Practice Reports
    4. Training and Consultancy
    5. Newsletter