KKeensafeCompliance

Technical report

Detailed findings with mapped controls.

f-001 — SQL injection in /login (online.keensafeglobalbank.com)

critical · internet-banking · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.28 Secure coding
NIST Cybersecurity Framework 2.0 PR.IP-2
NIST SP 800-53 r5 SI-10 SI-11
CIS Controls v8.1 16.11
PCI DSS v4.0 6.2.4
OWASP Top 10 (2021) A03:2021
MITRE ATT&CK T1190

f-002 — BOLA / IDOR in /api/v1/accounts/{id}

high · public-api · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.3 Access rights
NIST Cybersecurity Framework 2.0 PR.AC-4
NIST SP 800-53 r5 AC-3
OWASP API Security Top 10 (2023) API1:2023
MITRE ATT&CK T1213

f-003 — SSRF in /api/v1/fetch

high · public-api · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.23 Network segmentation
NIST Cybersecurity Framework 2.0 PR.AC-5
OWASP API Security Top 10 (2023) API7:2023
OWASP Top 10 (2021) A10:2021
MITRE ATT&CK T1590

f-004 — Stealer-log credential reused on /admin/login

critical · admin-panel · status open
FrameworkControls
ISO/IEC 27001:2022 A.5.18 Access rights
NIST Cybersecurity Framework 2.0 PR.AC-1
NIST SP 800-53 r5 IA-5(7)
PCI DSS v4.0 8.3.6
DORA (EU 2022/2554) Art.10
OWASP Top 10 (2021) A07:2021
MITRE ATT&CK T1110.004 T1078.004

f-005 — Weak JWT — alg=none accepted

high · internet-banking · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.5
NIST SP 800-53 r5 SC-8(1) IA-2
OWASP Top 10 (2021) A02:2021
MITRE ATT&CK T1606.001

f-006 — Path traversal in /files/download and /api/v1/export

high · internet-banking + public-api · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.28
OWASP Top 10 (2021) A01:2021
OWASP API Security Top 10 (2023) API3:2023
MITRE ATT&CK T1083

f-007 — Stored XSS in admin notes and support comments

medium · admin-panel + support-portal · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.28
OWASP Top 10 (2021) A03:2021
MITRE ATT&CK T1059.007

f-008 — Mass assignment — PUT /api/v1/users/{id} accepts role

high · public-api · status open
FrameworkControls
OWASP API Security Top 10 (2023) API6:2023
ISO/IEC 27001:2022 A.8.3
NIST SP 800-53 r5 AC-3

f-009 — Wide-open CORS on api.keensafeglobalbank.com

medium · public-api · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.23
OWASP API Security Top 10 (2023) API8:2023

f-010 — Sensitive backup zip exposed at /backup/

high · corporate-web · status open
FrameworkControls
ISO/IEC 27001:2022 A.5.10 A.8.13
PCI DSS v4.0 3.5
GDPR (EU 2016/679) Art.32
KVKK (Türkiye 6698) Md.12

f-011 — Prompt injection / system-prompt leakage on chatbot

high · llm-chatbot · status open
FrameworkControls
ISO/IEC 27001:2022 A.5.30 ICT readiness
OWASP API Security Top 10 (2023) API3:2023
SOC 2 Type II CC6.6
MITRE ATT&CK T1565

f-012 — Hard-coded admin / admin123 + MFA accepts 0000

critical · admin-panel · status open
FrameworkControls
ISO/IEC 27001:2022 A.5.18 A.8.5
NIST Cybersecurity Framework 2.0 PR.AC-1
PCI DSS v4.0 8.3.1
SOC 2 Type II CC6.1
OWASP Top 10 (2021) A07:2021

f-013 — Audit log tampering — DELETE /audit-logs/{id}

high · admin-panel · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.15 Logging
NIST SP 800-53 r5 AU-9
SOC 2 Type II CC7.2
PCI DSS v4.0 10.5

f-014 — GDPR / KVKK over-disclosure — customer records via /customer-lookup

high · support-portal · status open
FrameworkControls
GDPR (EU 2016/679) Art.5(1)(c) Art.32
KVKK (Türkiye 6698) Md.4 Md.12
SOC 2 Type II CC6.7

f-015 — Leaked AWS keys in build logs (Jenkins) and SDK samples

high · jenkins + developer-portal · status open
FrameworkControls
ISO/IEC 27001:2022 A.8.9
NIST SP 800-53 r5 IA-5
PCI DSS v4.0 6.3.1
CIS Controls v8.1 16.13