# Proactivity : help prevent a major security breach # seriousness : handle threat and protecting data # bank vision : qrBe#yB3egmV!bt boybro245@gmail.com ![image](https://hackmd.io/_uploads/rySZaXmDbx.png) ![image](https://hackmd.io/_uploads/BkBcmMQD-x.png) ![Screenshot From 2026-02-06 09-08-41](https://hackmd.io/_uploads/H1Z-p6zw-x.png) ![Screenshot From 2026-02-06 09-10-02](https://hackmd.io/_uploads/r18VTpMD-g.png) ![image](https://hackmd.io/_uploads/ByvpFTYIWg.png) ![Screenshot From 2026-01-30 11-26-00](https://hackmd.io/_uploads/Bk03z3YUWl.png) ![Screenshot From 2026-01-30 11-27-47](https://hackmd.io/_uploads/Hk4-7nY8Wg.png) Bypassing the Key Attestation API with Remote Devices github https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-advance/1.0/validate/customer/eligible https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-advance/1.0/view/contract/loan https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-advance/1.0/loan/commit https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-upl/1.0/validate/customer/eligible https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-upl/1.0/loan/inquiry https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-upl/1.0/view/contract/loan https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-upl/1.0/loan/commit https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-upl/1.0/loan/recommit https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-upl/1.0/loan/pay-off/inquiry https://uatsandbox.sathapana.com.kh:2284/new-mobile-banking/uat/salary-upl/1.0/loan/pay-off/commit ![Screenshot From 2026-01-29 15-08-07](https://hackmd.io/_uploads/Bk9XHcO8-e.png) ![Screenshot From 2026-01-29 15-08-21](https://hackmd.io/_uploads/SJI4SquUZx.png) ![Screenshot From 2026-01-29 14-48-11](https://hackmd.io/_uploads/BJgKxq_IZl.png) ![Screenshot From 2026-01-29 14-49-12](https://hackmd.io/_uploads/BkKnxcuIWe.png) ![Screenshot From 2026-01-29 14-49-12](https://hackmd.io/_uploads/Sk_kZ9u8-l.png) const extractAllValues = (value) => { if (value == null) return ''; // Handle environment variables if (typeof value === 'string' && value.startsWith('{{') && value.endsWith('}}')) { return pm.environment.get(value.slice(2, -2)) || ''; } // Recursively process objects (sorted keys) if (typeof value === 'object' && !Array.isArray(value)) { return Object.keys(value) .sort() // Sort keys alphabetically .map(key => extractAllValues(value[key])) .join(''); } // Recursively process arrays if (Array.isArray(value)) { return value.map(item => extractAllValues(item)).join(''); } // Convert non-strings to strings return typeof value === 'string' ? value : String(value); }; const buildHashString = (payload) => { return Object.keys(payload) .sort() // Sort root keys A-Z .filter(key => key !== 'hash') // Skip the hash field .map(key => extractAllValues(payload[key])) .join(''); }; // Main Execution try { const timestamp = Date.now(); pm.environment.set("timestamp", timestamp); const requestBody = JSON.parse(pm.request.body[pm.request.body.mode]); const secretKey = pm.environment.get("secret_key"); const payloadString = buildHashString(requestBody); const hashValue = `${secretKey}${payloadString}${timestamp}`; console.log("Hash computation string:", hashValue); const hashedPayload = CryptoJS.enc.Hex.stringify(CryptoJS.SHA512(hashValue)); pm.environment.set("hash", hashedPayload); } catch (error) { console.error("Hash generation failed:", error); throw error; } ![Screenshot From 2026-01-29 10-50-46](https://hackmd.io/_uploads/BJ9RdI_UZe.png) ![Screenshot From 2026-01-29 10-52-53](https://hackmd.io/_uploads/HyUIK8O8Wg.png) ![Screenshot From 2026-01-29 10-57-32](https://hackmd.io/_uploads/S16P9LdU-l.png) ![Screenshot From 2026-01-29 11-00-06](https://hackmd.io/_uploads/Hy5bjUOI-g.png) ![Screenshot From 2026-01-29 11-25-01](https://hackmd.io/_uploads/BkMyWvuI-x.png) ![Screenshot From 2026-01-29 11-25-43](https://hackmd.io/_uploads/rJib-P_Ibe.png) ![Screenshot From 2026-01-29 11-28-06](https://hackmd.io/_uploads/rkOqWvuLWx.png) ![image](https://hackmd.io/_uploads/S1XfXP_8bl.png) ![Screenshot From 2026-01-29 11-34-57](https://hackmd.io/_uploads/H1mVmDu8Zg.png) ![Screenshot From 2026-01-29 11-35-44](https://hackmd.io/_uploads/r1bP7w_UWe.png) ![Screenshot From 2026-01-29 11-36-23](https://hackmd.io/_uploads/B1dYQDuIZe.png) ![Screenshot From 2026-01-28 10-42-01](https://hackmd.io/_uploads/S1lIBWvL-g.png) ![Screenshot From 2026-01-28 10-46-35](https://hackmd.io/_uploads/Hy0ULZvUWl.png) 1539292 ![Screenshot From 2026-01-28 08-16-41](https://hackmd.io/_uploads/ryMS71v8Wg.png) 172.17.251.53 https://maps.app.goo.gl/xXGSbsrk82cCLUgYA qxwVzVBeHL9fX01sAVFv1WxGIvhN+Q== ![Screenshot From 2026-01-27 11-26-42](https://hackmd.io/_uploads/HyrBR2SUWx.png) ![Screenshot From 2026-01-27 11-17-24](https://hackmd.io/_uploads/SyOS2nHIZl.png) ![Screenshot From 2026-01-27 09-42-23](https://hackmd.io/_uploads/HkeStUiSUbe.png) ![Screenshot From 2026-01-27 11-17-24](https://hackmd.io/_uploads/BJTzh2r8-g.png) # h1 Proactivity : prevent data breach # h1 seriousness : handle threat and protecting data PENTEST/Pent@s#$402212 Room: C1 Booked number: 096 400 3497 Arrival time: 6:00 to 6:30 PM Contact number: 095 22 381 Subject: Penetration Testing Completion – Sathapana Onboarding App 2025 Release 2 Dear Bong @Khov Puthsovann, @Touch Ra, and @Ky Seng Hak, I would like to inform you that I have successfully completed the penetration testing for Sathapana Onboarding App 2025 Release 2. Please find the detailed report attached for your review.