• Save
Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch
Upcoming SlideShare
Loading in...5

Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch Presentation Transcript

  • $NATCHSergey Scherbel & Yuriy DyachenkoPositive TechnologiesPositive Hack Days 2013
  • Some BackgroundThe competition took place for the first time at PHDays 2012.$natch aims at demonstrating the typical vulnerabilities ofonline banking systems.Positive Technologies performs security tests of online bankingsystems on a regular basis. We are really into it.The most interesting and dangerous vulnerabilities along withthe simply typical weaknesses are integrated into PHDaysiBank.
  • Last Year Results― 9 participants;― 4 winners;― the biggest winnings of 3,500roubles;― some winners got into the Positivecommunity ;(after an extremely scaryinterview of course).
  • PHDays iBank 2PHDays iBank 2 is NOT a real online banking system used byactual banks.The system was developed exclusively for the PHDays 2013competition.PHDays iBank 2 employs the typical vulnerabilities of onlinebanking systems.
  • Competition Rules― 100 bank clients;― 10 participants;― 20,000 roubles of prize money;― 1 day for source code analysis;― 30–40 minutes of the actual competition;― a participant will get as much money as he/she will manageto transfer to his/her account;― the participants can steal money from each other.
  • At WorkshopYou will be able:― to examine each vulnerability in detail;― to exploit vulnerabilities “by hand”;― to exploit vulnerabilities with various tools.Everything is performed on a special copy of the competitionsystem.
  • Accounts100001:PKAC1y100002:RNrlO9100003:Ndl1Ix100004:hQPuJw100005:kpgtCI
  • AuthenticationOne should enter the CAPTCHA to sign in.
  • Mobile Bank AuthenticationNo CAPTCHA here, thus the account bruteforce is possible.
  • Accounts with Simple Passwords100011:password100012:phdays100013:qwerty100014:password100015:123456100016:12345100017:11111100018:ninja100019:123123100020:sex100021:asdzxc100022:654321100023:iloveyou100024:root100025:master100026:superman...
  • Transaction Confirmation
  • Confirmation Bypass in Mobile Bank
  • Payment Templates Modification
  • Payment Templates ModificationA template is not checked if it is owned by the current user
  • Payment Templates Modification$$
  • Payment Templates Modification$$
  • Importing ContactsMost online banks have a feature that allows one to import/exportdata.
  • XML External EntityLoading of external entities is not disabled.http://php.net/libxml_disable_entity_loader
  • XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-encode/resource=logs/changePassword.log">]><contacts><contact><name>name</name><account>90107430600712500003</account><description>&x;</description></contact></contacts>http://www.php.net/manual/en/wrappers.php.php
  • XML External EntityFile contents in base64
  • Debug Mode
  • Thanks for your attention!Sergey Scherbelsscherbel@ptsecurity.ruYuriy Dyachenkoydyachenko@ptsecurity.ru