Payment systems are a tidbit for an attacker, but often it’s non-achievable scope for bug hunters outside the company. Bug bounty programs of financial organizations include resources that are on the surface of the attack, and it’s quite difficult for a researcher to dig deeper into the internal financial processes. So we have to limit ourselves with XSS, SSRF in a web-application of the payment system.
Timur Yunusov is a Senior Security Researcher at Positive Technologies and a member of the PT SWARM team who knows everything about financial processes. He has been researching its peculiarities and discovering vulnerabilities for the last 8 years. For the last 2 years, he has been an organizer of Payment Village at various security conferences.
And now Timur, in the format of free discussion with Denis Makrushin, is ready to discuss the process of vulnerability in payment processes and tools – the topic that most often gets “out-of-scope” for bug hunters. And this time we will focus on the discussion of the following research challenge: how and where to look for vulnerabilities in payment systems.
During our stream-session on the Twitch (https://twitch.tv/makrushind), we will cover the following topics:
1. what is a “payment system” and what’s the key difference from classic targets, we are used to assessing in Bug Bounty programs?
2. Typical scope: where what and how we search. Where do we find a payment system to analyze it?
3. What are the most interesting findings interested for the owners of bug bounty programs in financial organizations?
4. How do you amplify the impact of your finding?
5. Examples of bugs we will discuss:
– rounding attacks: rounding with card transactions;
– replay of cryptograms and other transactional data (this time we will show a new example with high impact);
– authorization and authentication bypass: disclosure of payment data, flaws in transaction processing configuration, various other “lost&stolen/card not present” fraud scenarios;
– brute force override of pass and authentication data.
There will be a lot of subjective thoughts, personal stories, and answers to your questions in the Bug Hunting Hub chat.