Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ACROS
ACROS PUBLIC
Page 2
ACROS PUBLIC
Page 3
ACROS PUBLIC
Page 4
PAST-PRESENT FUTURE
Back-End Server
PRESENT
Online Banking Server
FUTURE 2.0
ACROS PUBLIC
Page 5
ACROS PUBLIC
Page 6
Advantages More money Large transactions not unusual Targets can be found in public certificate directories
Online Banking Server
ACROS PUBLIC
Page 7
ACROS PUBLIC
Page 8
ACROS PUBLIC
Page 9
Goal: Exploiting Application Flaws Methods Hacking Problems Getting noticed while looking for flaws Advantages Unlimited amount of money No user interaction (social engineering) Possible creation of new money
ACROS PUBLIC
Page 10
ACROS PUBLIC
Page 11
https://bank/balance?uid=7728356
(my account balance data)
https://bank/balance?uid=7728355
(another users account balance data)
ACROS PUBLIC
Page 12
https://bank/balance?dWlkPTc3MjgzNTY=
(my account balance data)
Base64decode(dWlkPTc3MjgzNTY=)
uid=7728356 Base64encode(uid=7728355)
https://bank/balance?dWlkPTc3MjgzNTU=
(another users account balance data)
ACROS PUBLIC
Page 13
ACROS PUBLIC
Page 14
ACROS PUBLIC
Page 15
ACROS PUBLIC
Page 16
Negative Numbers
ACROS PUBLIC
Page 17
IF RequestedAmount > DisposableAmount THEN ERROR(); IF 3,000 > 2,000 THEN ERROR(); // Error Insufficient Funds IF -100 > 2,000 THEN ERROR(); // No Error Here
ACROS PUBLIC
Page 18
Attacker: Victim:
0$ 100 $
ACROS PUBLIC
Page 19
0$ 0$
ACROS PUBLIC
Page 20
ACROS PUBLIC
Page 21
Normal Overdraft
100 $ 0$
(Transfer 1,000 $ from #1 to #2) Account #1: Account #2: -900 $ 1,000 $
ACROS PUBLIC
Page 22
Over-Overdraft
100 $ 0$
(Transfer 1,000,000 $ from #1 to #2) Account #1: Account #2: -999,900 $ 1,000,000 $
ACROS PUBLIC
Page 23
ACROS PUBLIC
Page 24
User Public Server Back End Server POST /transfer source=1 & dest=2 & amount=100
JSP
source = request.getParameter(source) // 1 amount = request.getParameter(amount) // 100 IF NOT user_authorized_for(source) THEN ERROR() IF disposable(source) < amount THEN ERROR() Call BackEndTransaction(request)
ACROS PUBLIC
Page 25
HTTP Parameter Pollution Source account POST /transfer source=1 & dest=2 & amount=100 & source=42
JSP
source = request.getParameter(source) // 1 amount = request.getParameter(amount) // 100 IF NOT user_authorized_for(source) THEN ERROR() IF disposable(source) < amount THEN ERROR() Call BackEndTransaction(request)
ACROS PUBLIC
Page 26
HTTP Parameter Pollution Transfer Amount POST /transfer source=1 & dest=2 & amount=100 & amount=100000
JSP
source = request.getParameter(source) // 1 amount = request.getParameter(amount) // 100 IF NOT user_authorized_for(source) THEN ERROR() IF disposable(source) < amount THEN ERROR() Call BackEndTransaction(request)
ACROS PUBLIC
Page 27
SQL Injection
ACROS PUBLIC
Page 28
SELECT rate FROM exch_rates WHERE currency = UNION SELECT balance FROM accounts WHERE account_id = 887296
ACROS PUBLIC
Page 29
BEGIN TRANSACTION UPDATE accounts SET balance = 0 WHERE account_id = .$acctid1. UPDATE accounts SET balance = 100 WHERE account_id = .$acctid2.
COMMIT TRANSACTION
ACROS PUBLIC
Page 30
BEGIN TRANSACTION UPDATE accounts SET balance = 0 WHERE account_id = 123 UPDATE accounts SET balance = 100 WHERE account_id = 456
COMMIT TRANSACTION
ACROS PUBLIC
Page 31
BEGIN TRANSACTION UPDATE accounts SET balance = 0 WHERE account_id = 123 UPDATE accounts SET balance = 100 WHERE account_id = 456 OR account_id = 123 COMMIT TRANSACTION
ACROS PUBLIC
Page 32
ACROS PUBLIC
Page 33
ACROS PUBLIC
Page 34
ACROS PUBLIC
Page 35
Impact
Change e-banking application code Obtain database/WS credentials, issue direct requests to DB or back-end WS
ACROS PUBLIC
Page 36
ACROS PUBLIC
Page 37
Other Attacks
Session Puzzling Insecure Mass Assignment Numerical Magic: Overflows, Underflows, Exponential Notation, Reserved words (Corsaire whitepaper) Stale Currency Exchange Race Conditions ... New functionalities: automated deposits, loans, investment portfolio management, ...
ACROS PUBLIC
Page 38
http://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html
ACROS PUBLIC
Page 39
1 0,01
0,01
1,364 $ 0,01364 $
0,01 $
ACROS PUBLIC
Page 40
2001
Asymmetric Currency Rounding by M'Rahi, Naccache and Tunstall http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.8055&rep=rep1&type=pdf
ACROS PUBLIC
Page 41
1: 2: 3:
goto 1
ACROS PUBLIC
Page 42
Improvements
Optimal exchange rate (getting as close to 0,005 as possible) Corporate banking: packets (1000s of exchanges in one packet)
Countermeasures
Limit minimum amount to 1 whole unit, exchange fee
ACROS PUBLIC
Page 43
ACROS PUBLIC
Page 44
ACROS PUBLIC
Page 45
ACROS PUBLIC
Page 46
ACROS PUBLIC
Page 47
Mitja Kolsek