I am testing some mobile banking app.
They have a feature to fill in all info for a payment automatically. It does that with two requests:
- A POST request to “POST paymentdata.php”, which submits all payment data (account no., name, amount, reason, etc.) in the request message body.
- A GET request to “GET filledoutform.php”, which basically says: “show me the filled in payment-form, with whatever data I sent to you with request “POST paymentdata.php” last, in this session. Which responds with the HTML page content, with the pre-filled form in the response message body.
Apart from that there is only the session information (cookie), and literally NOTHING else in both requests.
I am trying to figure out whether or not there is a way to exploit this.
One apparant issue is that the “GET filledoutform.php” request is not idempotent.
Does missing idempotency in a GET request have any security implications?
Any ideas how to exploit this? I can only report security issues, not functional issues or bad practice (non-security related). I would like to point out to the customer, that this is bad design. So I am trying to see if there is any security impact, due to this strange method of generating a pre-filled form in the mobile app.