Hi there folks,
Here is the second pitfall that we’ve seen in securities trading applications in capital markets.
Quantity is relevant to business
In the capital markets business trading securities is a wholesale game. Whether, it is trading fixed income securities, equities or forex, the quoted prices are based on minimum quantity that is enforced by the business. Often, you might even come across a tiered pricing model that results in more savings when dealing in larger quantities. For example, the quoted price buying 100,000 shares of XYZ security would be CAD $1.20/share, however, 1,000,000 shares of the same security would be quoted at CAD $1.19/share.
Similar to realizing the weakness identified in the previous segment of this series, we resort to exploiting the gap in the server’s inability to maintain state between the two steps of the order process. In this case, step-1 would involve getting the quoted price for trading 1,000,000 shares of the security. This step usually bakes in all the business logic checks to ensure that the quantity specified is within acceptable levels and is large enough to meet the margins expected from trading this security. However, in step-2, we see that the quantity parameter is resent to the server. Being the business savvy organic pentester that we are, we use our trusted proxy tool to modify the quantity in this step to 1 share. This violates every business rule in the book for this financial institution’s capital markets business. However, since the server has no transactional state information and implicitly trusts the user, this trade is passed right through into automated booking.
A keen observer at this point would ask the following: Wouldn’t the automated booking system catch this as an erroneous trade and prevent it from being executed?
Subu: Excellent question. The booking system does have logic built in to catch funky looking trades. However, based on our experience a large portion of the logic to identify funky looking trades are mapped to the client organization’s threshold levels. i.e. The average amount a trader from client ABC trades in a given day? Or, what is the average quantity a trader from client ABC trades in a given day? Since these threshold levels generally look for maximums or averages, our sneaky trade of very low quantity glides under the radar undetected.