Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

4 645 vues

Publié le

I am going to review a number of interesting flaws that I have seen within the payment systems and gambling games. This includes examples that allowed me to win big while I was gambling very responsibly as well as simple methods that brought me free goods such as expensive books that I really didn't need, fake moustaches, or even caskets for my fake funeral!

Disclaimer: all issues were reported responsibly to the companies and no moustache or slot machine was harmed in this process! I am not going to name any companies during this presentation.

Publié dans : Internet
  • HOW TO UNLOCK HER LEGS! (SNEAK PEAK), learn more... ●●● http://t.cn/AijLRbnO
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • The Surprising Reason 11:11 Keeps Appearing. Free report reveals hidden messages from the Universe to unlock success, wealth... even true love. Claim your copy and reveal your messages now!  https://tinyurl.com/y6pnne55
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Earn a 6-Figure Side-Income Online... Signup for the free training HERE ◆◆◆ http://ishbv.com/j1r2c/pdf
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Tired of being scammed? Take advantage of a program that, actually makes you money! ◆◆◆ http://ishbv.com/ezpayjobs/pdf
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

  1. 1. How to win BIG! Several Interesting Examples of Exploiting Financial & Gambling Apps by Soroush Dalili - OWASP Birmingham, UK - March 2019
  2. 2. whoami? • Soroush Dalili • Principal security consultant @ NCC Group • Web application tester / researcher • Twitter: @irsdl • Personal blog: https://soroush.me/ • Work email: soroush.dalili[at]nccgroup{dot}com
  3. 3. What’s going on here? HACKERS GONNA CHEAT WHILST PLAYING
  4. 4. What could I buy?!
  5. 5. Main references • Based on identified issues in real websites – Easy examples (!=comprehensive, !=all findings) • This whitepaper: https://www.nccgroup.trust/uk/our-research/common- security-issues-in-financially-orientated-web-applications/ • NCC Group’s gambling game testing methodology – Internal but similar to the published whitepaper above
  6. 6. Price manipulation • Super easy but might be hard to find! • Example: – Target had multi-step checkout process – A separate API to interact with payment gateways – Accepted encrypted amount value without any checks – Exploited by replaying price of a cheaper item
  7. 7. What else can be changed? • Anything that can change the price! – Delivery option, quantity, discount, VAT code, buyer’s region, special events, currency, etc. • Look for references and encrypted values too • All payment methods should be tested separately
  8. 8. Payment bypass, for real! • Parameter manipulation: – In payment processors (esp. when it’s internal) – In return pages from payment gateways • Examples: – Removing a reference parameter – Modifying the payment method in return
  9. 9. Order update when paying • Classic ToCToU, easy to test and find! 1. Add a cheap item to the basket 2. Go to the payment page in tab 1 3. Open the basket in tab 2 4. Update your order • new items, quantity, postage, etc. 5. Continue with the payment process in tab 1 6. You pay for the cheap item but you may get them all
  10. 10. Order update after paying! • To add more items or change a confirmed order, insurance quote, or an invoice • When order status is not checked properly • Example: – The cheapest car insurance was purchased • Using invalid details such as NCB, Vehicle model, etc. – It was updated by changing & replaying a request • Insurance ID in header & body (repeated) • The IID in the header was replaced with a fresh ID • Validation bypassed, insurance certificate was updated!
  11. 11. Abusing free samples or gifts… • Buy item A to also get item B for free • Free items can be purchased separately • Exploited by changing quantity of free items!
  12. 12. Race conditions • Example 1: Money transfer – Works even better when there are multiple accounts – Creates money out of thin air!
  13. 13. Race conditions • Example 2: One time promotion codes
  14. 14. Abusing concatenation in signature • Signature = SHA1(secret + … + reference + amount) – “reference”  string, “amount”  number • Hash length extension – Example tools: Hash Extender, HashPump – But, No delimiters between parameters! – …&reference=abcd&amount=89 – …&reference=abcd8&amount=9 – …&reference=abcd89%80%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%f0&amount=1
  15. 15. Gambling games’ bugs… • Games are used by multiple sites – 1 bug x 20 websites x £50 per week = £1000 pw – Can go undetected for a while * Images have been selected by searching in Google and do not represent the actual vulnerable games/apps!
  16. 16. Gambling apps’ problems • Insufficient validation • Logical bugs and state confusion • Know your system – Different bet types – Different features in different sports – Different games from the same vendor – Hidden games’ features – Free bets, bonuses, promotions, …
  17. 17. Reversing a game – Shocking! • In a Top Trumps game, result was inversed: – When a negative stake was provided! – Very simple odds manipulation – e.g. look at YoB:
  18. 18. Why using the expensive RNG machine • RNG was not used for free games (why not?!) • Selectable cards were also sent • Unintentionally supported in real games too • Server forced to always choose a specific card • I could win every single time!
  19. 19. More lovely unnecessary feature • A slot machine with 20 lines: – Lines parameter was like this (selecting 15 lines): • Lines=1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0 – Accepting any number other than 0 or 1 (why?!) – 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,-19 • Paying for 1 line, normal prize was small • But, the bonus prize was based on 20 lines so:
  20. 20. Godsend Bingo tickets… • Imagine a Bingo game • Every 4 tickets, I got 1 free ticket • Pay with points parameter was set to “false” • Did not work without points… • “true” multiple times following by a “false” – Several free tickets added to my only ticket! – Could make me rich!
  21. 21. Know the logic, multi-bets FTW! • Multi-bets  better odds • Team A vs Team B, Players should not be able to: – Choose duplicate events/fixtures • A wins + A wins – Choose related events/fixtures • A wins + B loses + Game has > 0.5 goal • The same event became different when… – A wins + A wins with > 0.5 goals! (added parameter)
  22. 22. Validation bypass using errors • An empty catch block in the main validation function • Validation was bypassed when: – stringVal=NotANumberValue!
  23. 23. My automated testing approach • Change more than 1 parameter at a time! – Increase the testing time • Check every step when there are several • Use a smart fuzzing approach • Example: – Change odds/lines/price to an arbitrary value – Change other parameters until it is successful
  24. 24. What can go wrong during a test? • Permissions (3rd parties might be involved) – Make sure you are authorised before doing this • Having access to all payment methods • Having access to all functions / features – Region is important – Account type, luck, promotions, … • Auto account disabling mechanism • Refunding money or returning goods
  25. 25. Have a testing methodology • Bug bounty hunters can lose real money
  26. 26. To developers • Keep it simple & remove unnecessary features • Appropriate server-side validation – Parameters – State • Verify a processed payment – Paid amount & currency matches the order • Appropriate error handling • Secure cryptography • Review the logic • Get it tested!
  27. 27. To system owners • Monitor users and players – Who is regularly winning from what games – Who is regularly having items without paying • Get real-time alerts on: – Payment errors – Unusual high number of money transfer – High number of small bets to detect testing • Get the payment & gambling apps tested
  28. 28. Thanks, any questions?
  29. 29. A free recipe • Attend an OWASP chapter meeting!!! • Encourage someone to pay for you • Work for the pizza shop • Use valid loyalty points (not free?) • Steal it?! (a bad option, don’t do this) • Or buy it online for free! (just kidding) – An officer may deliver the dip for you!