Search This Blog

Showing posts with label zSecure Team. Show all posts

SQL Injection Vulnerability in HDFC Bank site,discovered by zSecure Team


zSecurte Team discovered Critical SQL injection Vulnerability in HDFC Bank website. Last month, they discovered the SQL Injection Vulnerability in Idea Cellular Website.

zsecure team and HDFC Bank:
The aforesaid vulnerability was discovered on 15-July-2011 and was reported on 17-July-2011 (reminder sent on 24-July-2011). After 22 days(On 8,August,2011) the HDFC Bank responded to zSecure Team mail with the following Message:
Thank you for sending us this information on the critical vulnerability. We have remediated the same.

After zSecure Team received this email, they checked whether the vulnerability is still there or not. Unfortunately, the vulnerability was still active in web portal. At once, zSecure Team contacted HDFC Bank with the proof of vulnerability.

This time HDFC responds faster(after 2 days) with following message:
We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.

zSecure Team surprised about the response of HDFC Bank. They are not able to find the vulnerability after informed with proof by zSecure Team.

Thereafter, zSecure sent complete inputs about the vulnerability to their security team and finally the vulnerable file was removed from HDFC’s web-server.


Vulnerability Information:

  • Website: www.hdfcbank.com
  • Vulnerability Type: Hidden SQL Injection Vulnerability
  • Database Type: MSSQL with Error
  • Vulnerability Discovered: 15-July-2011
  • Alert Level: Critical
  • Threats: Complete Database Access, Database Dump, Shell Uploading
  • STATUS: Fixed

About HDFC Bank:
The Housing Development Finance Corporation Limited (HDFC) was amongst the first to receive an ‘in principle’ approval from the Reserve Bank of India (RBI) to set up a bank in the private sector, as part of the RBI’s liberalization of the Indian Banking Industry in 1994. The bank was incorporated in August 1994 in the name of ‘HDFC Bank Limited’, with its registered office in Mumbai, India. HDFC Bank commenced operations as a Scheduled Commercial Bank in January 1995.

HDFC Bank deals with three key business segments. – Wholesale Banking Services, Retail Banking Services, Treasury. It has entered the banking consortia of over 50 corporates for providing working capital finance, trade services, corporate finance and merchant banking. It is also providing sophisticated product structures in areas of foreign exchange and derivatives, money markets and debt trading and equity research.

Proof of Vulnerability:



 

Zsecure Team ended the post with the following Message:
Finally we would like to say that, since even after conducting the vulnerability assessment from a third party they were not able to discover this critical flaw that existed in their web portal since a long time then how can they assure themselves that there’s no more additional vulnerability exists in their web-portal. HDFC Bank’s Security team needs to think on this!

HDFC Bank must hire Best Pen Testers. Banking sectors must concerned about the Security.