Temenos OFS Field Injection: Revealing a Hidden Financial Attack Vector
During a pentest of an API integrated with Temenos using OFS, I uncovered a previously undocumented attack vector that I call OFS Field Injection. Improperly sanitized user input was inserted directly into OFS request strings, enabling the creation of poisoned transactions and theft of funds with minimal trace. The post explains how OFS works, how this […]
Intercepting Everything: A PAX PoS Pentest Case Study
Recently I accepted a pentest engagement at Spark Professional Services for a merchant app running on a PAX Technology Linux-based Point of Sale (PoS). Unlike Android PoS devices, these embedded Linux terminals lack built-in proxy support, so intercepting app traffic requires custom handling. I had a two-day pre-engagement with the device to research and validate techniques, and I’m sharing […]