O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
How to win BIG!
Several Interesting Examples of
Exploiting
Financial & Gambling Apps
by Soroush Dalili - OWASP Birmingham,...
whoami?
• Soroush Dalili
• Principal security consultant @ NCC Group
• Web application tester / researcher
• Twitter: @irs...
What’s going on here?
HACKERS GONNA CHEAT WHILST PLAYING
What could I buy?!
Main references
• Based on identified issues in real websites
– Easy examples (!=comprehensive, !=all findings)
• This whi...
Price manipulation
• Super easy but might be hard to find!
• Example:
– Target had multi-step checkout process
– A separat...
What else can be changed?
• Anything that can change the price!
– Delivery option, quantity, discount, VAT code, buyer’s r...
Payment bypass, for real!
• Parameter manipulation:
– In payment processors (esp. when it’s internal)
– In return pages fr...
Order update when paying
• Classic ToCToU, easy to test and find!
1. Add a cheap item to the basket
2. Go to the payment p...
Order update after paying!
• To add more items or change a confirmed order,
insurance quote, or an invoice
• When order st...
Abusing free samples or gifts…
• Buy item A to also get item B for free
• Free items can be purchased separately
• Exploit...
Race conditions
• Example 1: Money transfer
– Works even better when there are multiple accounts
– Creates money out of th...
Race conditions
• Example 2: One time promotion codes
Abusing concatenation in signature
• Signature = SHA1(secret + … + reference + amount)
– “reference”  string, “amount”  ...
Gambling games’ bugs…
• Games are used by multiple sites
– 1 bug x 20 websites x £50 per week = £1000 pw
– Can go undetect...
Gambling apps’ problems
• Insufficient validation
• Logical bugs and state confusion
• Know your system
– Different bet ty...
Reversing a game – Shocking!
• In a Top Trumps game, result was inversed:
– When a negative stake was provided!
– Very sim...
Why using the expensive RNG machine
• RNG was not used for free games (why not?!)
• Selectable cards were also sent
• Unin...
More lovely unnecessary feature
• A slot machine with 20 lines:
– Lines parameter was like this (selecting 15 lines):
• Li...
Godsend Bingo tickets…
• Imagine a Bingo game
• Every 4 tickets, I got 1 free ticket
• Pay with points parameter was set t...
Know the logic, multi-bets FTW!
• Multi-bets  better odds
• Team A vs Team B, Players should not be able to:
– Choose dup...
Validation bypass using errors
• An empty catch block in the main validation function
• Validation was bypassed when:
– st...
My automated testing approach
• Change more than 1 parameter at a time!
– Increase the testing time
• Check every step whe...
What can go wrong during a test?
• Permissions (3rd parties might be involved)
– Make sure you are authorised before doing...
Have a testing methodology
• Bug bounty hunters can lose real money
To developers
• Keep it simple & remove unnecessary features
• Appropriate server-side validation
– Parameters
– State
• V...
To system owners
• Monitor users and players
– Who is regularly winning from what games
– Who is regularly having items wi...
Thanks, any questions?
A free recipe
• Attend an OWASP chapter meeting!!!
• Encourage someone to pay for you
• Work for the pizza shop
• Use vali...
Próximos SlideShares
Carregando em…5
×
Próximos SlideShares
What to Upload to SlideShare
Avançar
Transfira para ler offline e ver em ecrã inteiro.

3

Compartilhar

Baixar para ler offline

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

Baixar para ler offline

I am going to review a number of interesting flaws that I have seen within the payment systems and gambling games. This includes examples that allowed me to win big while I was gambling very responsibly as well as simple methods that brought me free goods such as expensive books that I really didn't need, fake moustaches, or even caskets for my fake funeral!

Disclaimer: all issues were reported responsibly to the companies and no moustache or slot machine was harmed in this process! I am not going to name any companies during this presentation.

Livros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

  1. 1. How to win BIG! Several Interesting Examples of Exploiting Financial & Gambling Apps by Soroush Dalili - OWASP Birmingham, UK - March 2019
  2. 2. whoami? • Soroush Dalili • Principal security consultant @ NCC Group • Web application tester / researcher • Twitter: @irsdl • Personal blog: https://soroush.me/ • Work email: soroush.dalili[at]nccgroup{dot}com
  3. 3. What’s going on here? HACKERS GONNA CHEAT WHILST PLAYING
  4. 4. What could I buy?!
  5. 5. Main references • Based on identified issues in real websites – Easy examples (!=comprehensive, !=all findings) • This whitepaper: https://www.nccgroup.trust/uk/our-research/common- security-issues-in-financially-orientated-web-applications/ • NCC Group’s gambling game testing methodology – Internal but similar to the published whitepaper above
  6. 6. Price manipulation • Super easy but might be hard to find! • Example: – Target had multi-step checkout process – A separate API to interact with payment gateways – Accepted encrypted amount value without any checks – Exploited by replaying price of a cheaper item
  7. 7. What else can be changed? • Anything that can change the price! – Delivery option, quantity, discount, VAT code, buyer’s region, special events, currency, etc. • Look for references and encrypted values too • All payment methods should be tested separately
  8. 8. Payment bypass, for real! • Parameter manipulation: – In payment processors (esp. when it’s internal) – In return pages from payment gateways • Examples: – Removing a reference parameter – Modifying the payment method in return
  9. 9. Order update when paying • Classic ToCToU, easy to test and find! 1. Add a cheap item to the basket 2. Go to the payment page in tab 1 3. Open the basket in tab 2 4. Update your order • new items, quantity, postage, etc. 5. Continue with the payment process in tab 1 6. You pay for the cheap item but you may get them all
  10. 10. Order update after paying! • To add more items or change a confirmed order, insurance quote, or an invoice • When order status is not checked properly • Example: – The cheapest car insurance was purchased • Using invalid details such as NCB, Vehicle model, etc. – It was updated by changing & replaying a request • Insurance ID in header & body (repeated) • The IID in the header was replaced with a fresh ID • Validation bypassed, insurance certificate was updated!
  11. 11. Abusing free samples or gifts… • Buy item A to also get item B for free • Free items can be purchased separately • Exploited by changing quantity of free items!
  12. 12. Race conditions • Example 1: Money transfer – Works even better when there are multiple accounts – Creates money out of thin air!
  13. 13. Race conditions • Example 2: One time promotion codes
  14. 14. Abusing concatenation in signature • Signature = SHA1(secret + … + reference + amount) – “reference”  string, “amount”  number • Hash length extension – Example tools: Hash Extender, HashPump – But, No delimiters between parameters! – …&reference=abcd&amount=89 – …&reference=abcd8&amount=9 – …&reference=abcd89%80%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%f0&amount=1
  15. 15. Gambling games’ bugs… • Games are used by multiple sites – 1 bug x 20 websites x £50 per week = £1000 pw – Can go undetected for a while * Images have been selected by searching in Google and do not represent the actual vulnerable games/apps!
  16. 16. Gambling apps’ problems • Insufficient validation • Logical bugs and state confusion • Know your system – Different bet types – Different features in different sports – Different games from the same vendor – Hidden games’ features – Free bets, bonuses, promotions, …
  17. 17. Reversing a game – Shocking! • In a Top Trumps game, result was inversed: – When a negative stake was provided! – Very simple odds manipulation – e.g. look at YoB:
  18. 18. Why using the expensive RNG machine • RNG was not used for free games (why not?!) • Selectable cards were also sent • Unintentionally supported in real games too • Server forced to always choose a specific card • I could win every single time!
  19. 19. More lovely unnecessary feature • A slot machine with 20 lines: – Lines parameter was like this (selecting 15 lines): • Lines=1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0 – Accepting any number other than 0 or 1 (why?!) – 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,-19 • Paying for 1 line, normal prize was small • But, the bonus prize was based on 20 lines so:
  20. 20. Godsend Bingo tickets… • Imagine a Bingo game • Every 4 tickets, I got 1 free ticket • Pay with points parameter was set to “false” • Did not work without points… • “true” multiple times following by a “false” – Several free tickets added to my only ticket! – Could make me rich!
  21. 21. Know the logic, multi-bets FTW! • Multi-bets  better odds • Team A vs Team B, Players should not be able to: – Choose duplicate events/fixtures • A wins + A wins – Choose related events/fixtures • A wins + B loses + Game has > 0.5 goal • The same event became different when… – A wins + A wins with > 0.5 goals! (added parameter)
  22. 22. Validation bypass using errors • An empty catch block in the main validation function • Validation was bypassed when: – stringVal=NotANumberValue!
  23. 23. My automated testing approach • Change more than 1 parameter at a time! – Increase the testing time • Check every step when there are several • Use a smart fuzzing approach • Example: – Change odds/lines/price to an arbitrary value – Change other parameters until it is successful
  24. 24. What can go wrong during a test? • Permissions (3rd parties might be involved) – Make sure you are authorised before doing this • Having access to all payment methods • Having access to all functions / features – Region is important – Account type, luck, promotions, … • Auto account disabling mechanism • Refunding money or returning goods
  25. 25. Have a testing methodology • Bug bounty hunters can lose real money
  26. 26. To developers • Keep it simple & remove unnecessary features • Appropriate server-side validation – Parameters – State • Verify a processed payment – Paid amount & currency matches the order • Appropriate error handling • Secure cryptography • Review the logic • Get it tested!
  27. 27. To system owners • Monitor users and players – Who is regularly winning from what games – Who is regularly having items without paying • Get real-time alerts on: – Payment errors – Unusual high number of money transfer – High number of small bets to detect testing • Get the payment & gambling apps tested
  28. 28. Thanks, any questions?
  29. 29. A free recipe • Attend an OWASP chapter meeting!!! • Encourage someone to pay for you • Work for the pizza shop • Use valid loyalty points (not free?) • Steal it?! (a bad option, don’t do this) • Or buy it online for free! (just kidding) – An officer may deliver the dip for you!
  • DashSide

    Jul. 31, 2021
  • NurudeenOlubuade

    Jun. 3, 2020
  • MangeshGupta5

    May. 13, 2020

I am going to review a number of interesting flaws that I have seen within the payment systems and gambling games. This includes examples that allowed me to win big while I was gambling very responsibly as well as simple methods that brought me free goods such as expensive books that I really didn't need, fake moustaches, or even caskets for my fake funeral! Disclaimer: all issues were reported responsibly to the companies and no moustache or slot machine was harmed in this process! I am not going to name any companies during this presentation.

Vistos

Vistos totais

8.712

No Slideshare

0

De incorporações

0

Número de incorporações

4.104

Ações

Baixados

78

Compartilhados

0

Comentários

0

Curtir

3

×