Bank Management System Spring Boot Improper Authorization Vulnerability in Transaction Endpoint

A vulnerability allowing improper authorization has been identified in the Bank Management System application developed with Spring Boot, specifically in versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. The issue resides in the Transaction Controller, where critical transaction endpoints `/transaction/deposit` and `/transaction/withdraw` are exposed to unauthenticated users. This lack of authentication and authorization checks enables unauthorized financial operations, such as deposits and withdrawals, based solely on knowledge of a valid card number and, for withdrawals, the corresponding CVV.

Impact

Exploitation of this vulnerability allows unauthorized users to perform financial transactions, including deposits and withdrawals, without authentication or verification of account ownership.

Reproduction

To reproduce this vulnerability, register a new user and extract the JWT token from the registration response. Use this token to create an account, which will provide a card number and CVV. Then, without including an authorization header, send a POST request to the `/transaction/deposit` endpoint with the card number and amount. After that, send a POST request to the `/transaction/withdraw` endpoint with the card number, CVV, and amount. Finally, use the original JWT token to fetch the account details and confirm that the balance has been altered by the unauthorized transactions.

Remediation

Remove `/transaction/**` from the Spring Security configuration's `permitAll()` directive, require authentication for these endpoints, and verify that the account belongs to the authenticated user before processing transactions.