Your SlideShare is downloading. ×
Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch

303
views

Published on

Published in: Technology, Economy & Finance

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
303
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. $NATCHSergey Scherbel & Yuriy DyachenkoPositive TechnologiesPositive Hack Days 2013
  • 2. Some BackgroundThe competition took place for the first time at PHDays 2012.$natch aims at demonstrating the typical vulnerabilities ofonline banking systems.Positive Technologies performs security tests of online bankingsystems on a regular basis. We are really into it.The most interesting and dangerous vulnerabilities along withthe simply typical weaknesses are integrated into PHDaysiBank.
  • 3. Last Year Results― 9 participants;― 4 winners;― the biggest winnings of 3,500roubles;― some winners got into the Positivecommunity ;(after an extremely scaryinterview of course).
  • 4. PHDays iBank 2PHDays iBank 2 is NOT a real online banking system used byactual banks.The system was developed exclusively for the PHDays 2013competition.PHDays iBank 2 employs the typical vulnerabilities of onlinebanking systems.
  • 5. Competition Rules― 100 bank clients;― 10 participants;― 20,000 roubles of prize money;― 1 day for source code analysis;― 30–40 minutes of the actual competition;― a participant will get as much money as he/she will manageto transfer to his/her account;― the participants can steal money from each other.
  • 6. At WorkshopYou will be able:― to examine each vulnerability in detail;― to exploit vulnerabilities “by hand”;― to exploit vulnerabilities with various tools.Everything is performed on a special copy of the competitionsystem.
  • 7. Accounts100001:PKAC1y100002:RNrlO9100003:Ndl1Ix100004:hQPuJw100005:kpgtCI
  • 8. AuthenticationOne should enter the CAPTCHA to sign in.
  • 9. Mobile Bank AuthenticationNo CAPTCHA here, thus the account bruteforce is possible.
  • 10. Accounts with Simple Passwords100011:password100012:phdays100013:qwerty100014:password100015:123456100016:12345100017:11111100018:ninja100019:123123100020:sex100021:asdzxc100022:654321100023:iloveyou100024:root100025:master100026:superman...
  • 11. Transaction Confirmation
  • 12. Confirmation Bypass in Mobile Bank
  • 13. Payment Templates Modification
  • 14. Payment Templates ModificationA template is not checked if it is owned by the current user
  • 15. Payment Templates Modification$$
  • 16. Payment Templates Modification$$
  • 17. Importing ContactsMost online banks have a feature that allows one to import/exportdata.
  • 18. XML External EntityLoading of external entities is not disabled.http://php.net/libxml_disable_entity_loader
  • 19. XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-encode/resource=logs/changePassword.log">]><contacts><contact><name>name</name><account>90107430600712500003</account><description>&x;</description></contact></contacts>http://www.php.net/manual/en/wrappers.php.php
  • 20. XML External EntityFile contents in base64
  • 21. Debug Mode
  • 22. Thanks for your attention!Sergey Scherbelsscherbel@ptsecurity.ruYuriy Dyachenkoydyachenko@ptsecurity.ru