SlideShare a Scribd company logo
1 of 29
Download to read offline
How to win BIG!
Several Interesting Examples of
Exploiting
Financial & Gambling Apps
by Soroush Dalili - OWASP Birmingham, UK - March 2019
whoami?
• Soroush Dalili
• Principal security consultant @ NCC Group
• Web application tester / researcher
• Twitter: @irsdl
• Personal blog: https://soroush.me/
• Work email: soroush.dalili[at]nccgroup{dot}com
What’s going on here?
HACKERS GONNA CHEAT WHILST PLAYING
What could I buy?!
Main references
• Based on identified issues in real websites
– Easy examples (!=comprehensive, !=all findings)
• This whitepaper:
https://www.nccgroup.trust/uk/our-research/common-
security-issues-in-financially-orientated-web-applications/
• NCC Group’s gambling game testing methodology
– Internal but similar to the published whitepaper above
Price manipulation
• Super easy but might be hard to find!
• Example:
– Target had multi-step checkout process
– A separate API to interact with payment gateways
– Accepted encrypted amount value without any checks
– Exploited by replaying price of a cheaper item
What else can be changed?
• Anything that can change the price!
– Delivery option, quantity, discount, VAT code, buyer’s region, special
events, currency, etc.
• Look for references and encrypted values too
• All payment methods should be tested separately
Payment bypass, for real!
• Parameter manipulation:
– In payment processors (esp. when it’s internal)
– In return pages from payment gateways
• Examples:
– Removing a reference parameter
– Modifying the payment method in return
Order update when paying
• Classic ToCToU, easy to test and find!
1. Add a cheap item to the basket
2. Go to the payment page in tab 1
3. Open the basket in tab 2
4. Update your order
• new items, quantity, postage, etc.
5. Continue with the payment process in tab 1
6. You pay for the cheap item but you may get them all
Order update after paying!
• To add more items or change a confirmed order,
insurance quote, or an invoice
• When order status is not checked properly
• Example:
– The cheapest car insurance was purchased
• Using invalid details such as NCB, Vehicle model, etc.
– It was updated by changing & replaying a request
• Insurance ID in header & body (repeated)
• The IID in the header was replaced with a fresh ID
• Validation bypassed, insurance certificate was updated!
Abusing free samples or gifts…
• Buy item A to also get item B for free
• Free items can be purchased separately
• Exploited by changing quantity of free items!
Race conditions
• Example 1: Money transfer
– Works even better when there are multiple accounts
– Creates money out of thin air!
Race conditions
• Example 2: One time promotion codes
Abusing concatenation in signature
• Signature = SHA1(secret + … + reference + amount)
– “reference”  string, “amount”  number
• Hash length extension
– Example tools: Hash Extender, HashPump
– But, No delimiters between parameters!
– …&reference=abcd&amount=89
– …&reference=abcd8&amount=9
– …&reference=abcd89%80%00%00%00%00%00%00%00%00%00
%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
%00%00%00%00%00%00%00%00%f0&amount=1
Gambling games’ bugs…
• Games are used by multiple sites
– 1 bug x 20 websites x £50 per week = £1000 pw
– Can go undetected for a while
* Images have been selected by searching in
Google and do not represent the actual
vulnerable games/apps!
Gambling apps’ problems
• Insufficient validation
• Logical bugs and state confusion
• Know your system
– Different bet types
– Different features in different sports
– Different games from the same vendor
– Hidden games’ features
– Free bets, bonuses, promotions, …
Reversing a game – Shocking!
• In a Top Trumps game, result was inversed:
– When a negative stake was provided!
– Very simple odds manipulation – e.g. look at YoB:
Why using the expensive RNG machine
• RNG was not used for free games (why not?!)
• Selectable cards were also sent
• Unintentionally supported in real games too
• Server forced to always choose a specific card
• I could win every single time!
More lovely unnecessary feature
• A slot machine with 20 lines:
– Lines parameter was like this (selecting 15 lines):
• Lines=1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0
– Accepting any number other than 0 or 1 (why?!)
– 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,-19
• Paying for 1 line, normal prize was small
• But, the bonus prize was based on 20 lines so:
Godsend Bingo tickets…
• Imagine a Bingo game
• Every 4 tickets, I got 1 free ticket
• Pay with points parameter was set to “false”
• Did not work without points…
• “true” multiple times following by a “false”
– Several free tickets added to my only ticket!
– Could make me rich!
Know the logic, multi-bets FTW!
• Multi-bets  better odds
• Team A vs Team B, Players should not be able to:
– Choose duplicate events/fixtures
• A wins + A wins
– Choose related events/fixtures
• A wins + B loses + Game has > 0.5 goal
• The same event became different when…
– A wins + A wins with > 0.5 goals! (added parameter)
Validation bypass using errors
• An empty catch block in the main validation function
• Validation was bypassed when:
– stringVal=NotANumberValue!
My automated testing approach
• Change more than 1 parameter at a time!
– Increase the testing time
• Check every step when there are several
• Use a smart fuzzing approach
• Example:
– Change odds/lines/price to an arbitrary value
– Change other parameters until it is successful
What can go wrong during a test?
• Permissions (3rd parties might be involved)
– Make sure you are authorised before doing this
• Having access to all payment methods
• Having access to all functions / features
– Region is important
– Account type, luck, promotions, …
• Auto account disabling mechanism
• Refunding money or returning goods
Have a testing methodology
• Bug bounty hunters can lose real money
To developers
• Keep it simple & remove unnecessary features
• Appropriate server-side validation
– Parameters
– State
• Verify a processed payment
– Paid amount & currency matches the order
• Appropriate error handling
• Secure cryptography
• Review the logic
• Get it tested!
To system owners
• Monitor users and players
– Who is regularly winning from what games
– Who is regularly having items without paying
• Get real-time alerts on:
– Payment errors
– Unusual high number of money transfer
– High number of small bets to detect testing
• Get the payment & gambling apps tested
Thanks, any questions?
A free recipe
• Attend an OWASP chapter meeting!!!
• Encourage someone to pay for you
• Work for the pizza shop
• Use valid loyalty points (not free?)
• Steal it?! (a bad option, don’t do this)
• Or buy it online for free! (just kidding)
– An officer may deliver the dip for you!

More Related Content

What's hot

HTTP Request Smuggling
HTTP Request SmugglingHTTP Request Smuggling
HTTP Request SmugglingAkash Ashokan
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST AssuredBas Dijkstra
 
Multiprocessing with python
Multiprocessing with pythonMultiprocessing with python
Multiprocessing with pythonPatrick Vergain
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Testing RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured frameworkTesting RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured frameworkMicha Kops
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
한글 자모 분석 원리
한글 자모 분석 원리한글 자모 분석 원리
한글 자모 분석 원리흥래 김
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
PROBLEM SOLVING TECHNIQUES USING PYTHON.pptx
PROBLEM SOLVING TECHNIQUES USING PYTHON.pptxPROBLEM SOLVING TECHNIQUES USING PYTHON.pptx
PROBLEM SOLVING TECHNIQUES USING PYTHON.pptxBELMERGLADSONAsstPro
 
Front end development with Angular JS
Front end development with Angular JSFront end development with Angular JS
Front end development with Angular JSBipin
 
ManageEngine's Patch Manager Plus
ManageEngine's Patch Manager PlusManageEngine's Patch Manager Plus
ManageEngine's Patch Manager PlusManageEngine
 
Golang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageGolang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageAniruddha Chakrabarti
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrepNull Bhubaneswar
 
Pretéritos en español
Pretéritos en españolPretéritos en español
Pretéritos en españolGonzalo Abio
 

What's hot (20)

HTTP Request Smuggling
HTTP Request SmugglingHTTP Request Smuggling
HTTP Request Smuggling
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST Assured
 
Ninja
NinjaNinja
Ninja
 
Multiprocessing with python
Multiprocessing with pythonMultiprocessing with python
Multiprocessing with python
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Emertxe Certified Embedded Professional (ECEP): Assessment system
Emertxe Certified Embedded Professional (ECEP): Assessment systemEmertxe Certified Embedded Professional (ECEP): Assessment system
Emertxe Certified Embedded Professional (ECEP): Assessment system
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
Testing RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured frameworkTesting RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured framework
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
한글 자모 분석 원리
한글 자모 분석 원리한글 자모 분석 원리
한글 자모 분석 원리
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
PROBLEM SOLVING TECHNIQUES USING PYTHON.pptx
PROBLEM SOLVING TECHNIQUES USING PYTHON.pptxPROBLEM SOLVING TECHNIQUES USING PYTHON.pptx
PROBLEM SOLVING TECHNIQUES USING PYTHON.pptx
 
Front end development with Angular JS
Front end development with Angular JSFront end development with Angular JS
Front end development with Angular JS
 
ManageEngine's Patch Manager Plus
ManageEngine's Patch Manager PlusManageEngine's Patch Manager Plus
ManageEngine's Patch Manager Plus
 
Golang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageGolang - Overview of Go (golang) Language
Golang - Overview of Go (golang) Language
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
 
Pretéritos en español
Pretéritos en españolPretéritos en español
Pretéritos en español
 

Similar to How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

Data mining and Forensic Audit
Data mining and Forensic AuditData mining and Forensic Audit
Data mining and Forensic AuditDhruv Seth
 
Casual Connect United In Action - Monetization Design for Free-To-Play Games
Casual Connect United In Action - Monetization Design for Free-To-Play GamesCasual Connect United In Action - Monetization Design for Free-To-Play Games
Casual Connect United In Action - Monetization Design for Free-To-Play GamesDave Rohrl
 
Payment gateways for Startups in the UAE
Payment gateways for Startups in the UAEPayment gateways for Startups in the UAE
Payment gateways for Startups in the UAEAlexandra Tohme
 
20 top AB testing mistakes and how to avoid them
20 top AB testing mistakes and how to avoid them20 top AB testing mistakes and how to avoid them
20 top AB testing mistakes and how to avoid themCraig Sullivan
 
Business models.pptx
Business models.pptxBusiness models.pptx
Business models.pptxssuser6b98b0
 
Explore Export 2017 | Sell it online
Explore Export 2017 | Sell it online Explore Export 2017 | Sell it online
Explore Export 2017 | Sell it online Marty Stevenson
 
Essential tools and tips for selling online bridgewater 12.06.15
Essential tools and tips for selling online   bridgewater 12.06.15Essential tools and tips for selling online   bridgewater 12.06.15
Essential tools and tips for selling online bridgewater 12.06.15Get up to Speed
 
Payments: From a commodity to a fundamental driver of eCommerce success
Payments: From a commodity to a fundamental driver of eCommerce successPayments: From a commodity to a fundamental driver of eCommerce success
Payments: From a commodity to a fundamental driver of eCommerce successCheckout.com
 
Pairs Trading from NYC Algorithmic Trading Meetup November '13
Pairs Trading from NYC Algorithmic Trading Meetup November '13Pairs Trading from NYC Algorithmic Trading Meetup November '13
Pairs Trading from NYC Algorithmic Trading Meetup November '13Quantopian
 
Franchise presentation
Franchise presentationFranchise presentation
Franchise presentationBrent Crysell
 
The Checkout and Order Process
The Checkout and Order ProcessThe Checkout and Order Process
The Checkout and Order ProcessMuhammad Sajid
 
Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013
Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013
Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013Eric Seufert
 
Conversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteConversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteWebanalisten .nl
 
Hack in Cash out OWASP London
Hack in Cash out OWASP LondonHack in Cash out OWASP London
Hack in Cash out OWASP LondonPayment Village
 
Crash Course in Building Your Indie Game Studio | Quoc Tran
Crash Course in Building Your Indie Game Studio | Quoc TranCrash Course in Building Your Indie Game Studio | Quoc Tran
Crash Course in Building Your Indie Game Studio | Quoc TranJessica Tams
 
#Measurecamp : 18 Simple Ways to F*** up Your AB Testing
#Measurecamp : 18 Simple Ways to F*** up Your AB Testing#Measurecamp : 18 Simple Ways to F*** up Your AB Testing
#Measurecamp : 18 Simple Ways to F*** up Your AB TestingCraig Sullivan
 
Phil Downe - Avoiding Shady IT Vendors (full)
Phil Downe - Avoiding Shady IT Vendors (full)Phil Downe - Avoiding Shady IT Vendors (full)
Phil Downe - Avoiding Shady IT Vendors (full)TechSoup Canada
 

Similar to How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps (20)

Data mining and Forensic Audit
Data mining and Forensic AuditData mining and Forensic Audit
Data mining and Forensic Audit
 
Casual Connect United In Action - Monetization Design for Free-To-Play Games
Casual Connect United In Action - Monetization Design for Free-To-Play GamesCasual Connect United In Action - Monetization Design for Free-To-Play Games
Casual Connect United In Action - Monetization Design for Free-To-Play Games
 
Payment gateways for Startups in the UAE
Payment gateways for Startups in the UAEPayment gateways for Startups in the UAE
Payment gateways for Startups in the UAE
 
20 top AB testing mistakes and how to avoid them
20 top AB testing mistakes and how to avoid them20 top AB testing mistakes and how to avoid them
20 top AB testing mistakes and how to avoid them
 
Business models.pptx
Business models.pptxBusiness models.pptx
Business models.pptx
 
Explore Export 2017 | Sell it online
Explore Export 2017 | Sell it online Explore Export 2017 | Sell it online
Explore Export 2017 | Sell it online
 
Essential tools and tips for selling online bridgewater 12.06.15
Essential tools and tips for selling online   bridgewater 12.06.15Essential tools and tips for selling online   bridgewater 12.06.15
Essential tools and tips for selling online bridgewater 12.06.15
 
VYETV (en-WD)
VYETV (en-WD)VYETV (en-WD)
VYETV (en-WD)
 
Payments: From a commodity to a fundamental driver of eCommerce success
Payments: From a commodity to a fundamental driver of eCommerce successPayments: From a commodity to a fundamental driver of eCommerce success
Payments: From a commodity to a fundamental driver of eCommerce success
 
Pairs Trading from NYC Algorithmic Trading Meetup November '13
Pairs Trading from NYC Algorithmic Trading Meetup November '13Pairs Trading from NYC Algorithmic Trading Meetup November '13
Pairs Trading from NYC Algorithmic Trading Meetup November '13
 
Franchise presentation
Franchise presentationFranchise presentation
Franchise presentation
 
The Checkout and Order Process
The Checkout and Order ProcessThe Checkout and Order Process
The Checkout and Order Process
 
Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013
Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013
Big Data in Mobile Gaming - Eric Seufert presentation from IGExpo Feb 1 2013
 
Conversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteConversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynote
 
Hack in Cash out OWASP London
Hack in Cash out OWASP LondonHack in Cash out OWASP London
Hack in Cash out OWASP London
 
Lecture 6 Revenue Models.pptx
Lecture 6 Revenue Models.pptxLecture 6 Revenue Models.pptx
Lecture 6 Revenue Models.pptx
 
Crash Course in Building Your Indie Game Studio | Quoc Tran
Crash Course in Building Your Indie Game Studio | Quoc TranCrash Course in Building Your Indie Game Studio | Quoc Tran
Crash Course in Building Your Indie Game Studio | Quoc Tran
 
#Measurecamp : 18 Simple Ways to F*** up Your AB Testing
#Measurecamp : 18 Simple Ways to F*** up Your AB Testing#Measurecamp : 18 Simple Ways to F*** up Your AB Testing
#Measurecamp : 18 Simple Ways to F*** up Your AB Testing
 
Flipay pitch-deck
Flipay pitch-deckFlipay pitch-deck
Flipay pitch-deck
 
Phil Downe - Avoiding Shady IT Vendors (full)
Phil Downe - Avoiding Shady IT Vendors (full)Phil Downe - Avoiding Shady IT Vendors (full)
Phil Downe - Avoiding Shady IT Vendors (full)
 

Recently uploaded

Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...rrouter90
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 

Recently uploaded (9)

Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

  • 1. How to win BIG! Several Interesting Examples of Exploiting Financial & Gambling Apps by Soroush Dalili - OWASP Birmingham, UK - March 2019
  • 2. whoami? • Soroush Dalili • Principal security consultant @ NCC Group • Web application tester / researcher • Twitter: @irsdl • Personal blog: https://soroush.me/ • Work email: soroush.dalili[at]nccgroup{dot}com
  • 3. What’s going on here? HACKERS GONNA CHEAT WHILST PLAYING
  • 4. What could I buy?!
  • 5. Main references • Based on identified issues in real websites – Easy examples (!=comprehensive, !=all findings) • This whitepaper: https://www.nccgroup.trust/uk/our-research/common- security-issues-in-financially-orientated-web-applications/ • NCC Group’s gambling game testing methodology – Internal but similar to the published whitepaper above
  • 6. Price manipulation • Super easy but might be hard to find! • Example: – Target had multi-step checkout process – A separate API to interact with payment gateways – Accepted encrypted amount value without any checks – Exploited by replaying price of a cheaper item
  • 7. What else can be changed? • Anything that can change the price! – Delivery option, quantity, discount, VAT code, buyer’s region, special events, currency, etc. • Look for references and encrypted values too • All payment methods should be tested separately
  • 8. Payment bypass, for real! • Parameter manipulation: – In payment processors (esp. when it’s internal) – In return pages from payment gateways • Examples: – Removing a reference parameter – Modifying the payment method in return
  • 9. Order update when paying • Classic ToCToU, easy to test and find! 1. Add a cheap item to the basket 2. Go to the payment page in tab 1 3. Open the basket in tab 2 4. Update your order • new items, quantity, postage, etc. 5. Continue with the payment process in tab 1 6. You pay for the cheap item but you may get them all
  • 10. Order update after paying! • To add more items or change a confirmed order, insurance quote, or an invoice • When order status is not checked properly • Example: – The cheapest car insurance was purchased • Using invalid details such as NCB, Vehicle model, etc. – It was updated by changing & replaying a request • Insurance ID in header & body (repeated) • The IID in the header was replaced with a fresh ID • Validation bypassed, insurance certificate was updated!
  • 11. Abusing free samples or gifts… • Buy item A to also get item B for free • Free items can be purchased separately • Exploited by changing quantity of free items!
  • 12. Race conditions • Example 1: Money transfer – Works even better when there are multiple accounts – Creates money out of thin air!
  • 13. Race conditions • Example 2: One time promotion codes
  • 14. Abusing concatenation in signature • Signature = SHA1(secret + … + reference + amount) – “reference”  string, “amount”  number • Hash length extension – Example tools: Hash Extender, HashPump – But, No delimiters between parameters! – …&reference=abcd&amount=89 – …&reference=abcd8&amount=9 – …&reference=abcd89%80%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%f0&amount=1
  • 15. Gambling games’ bugs… • Games are used by multiple sites – 1 bug x 20 websites x £50 per week = £1000 pw – Can go undetected for a while * Images have been selected by searching in Google and do not represent the actual vulnerable games/apps!
  • 16. Gambling apps’ problems • Insufficient validation • Logical bugs and state confusion • Know your system – Different bet types – Different features in different sports – Different games from the same vendor – Hidden games’ features – Free bets, bonuses, promotions, …
  • 17. Reversing a game – Shocking! • In a Top Trumps game, result was inversed: – When a negative stake was provided! – Very simple odds manipulation – e.g. look at YoB:
  • 18. Why using the expensive RNG machine • RNG was not used for free games (why not?!) • Selectable cards were also sent • Unintentionally supported in real games too • Server forced to always choose a specific card • I could win every single time!
  • 19. More lovely unnecessary feature • A slot machine with 20 lines: – Lines parameter was like this (selecting 15 lines): • Lines=1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0 – Accepting any number other than 0 or 1 (why?!) – 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,-19 • Paying for 1 line, normal prize was small • But, the bonus prize was based on 20 lines so:
  • 20. Godsend Bingo tickets… • Imagine a Bingo game • Every 4 tickets, I got 1 free ticket • Pay with points parameter was set to “false” • Did not work without points… • “true” multiple times following by a “false” – Several free tickets added to my only ticket! – Could make me rich!
  • 21. Know the logic, multi-bets FTW! • Multi-bets  better odds • Team A vs Team B, Players should not be able to: – Choose duplicate events/fixtures • A wins + A wins – Choose related events/fixtures • A wins + B loses + Game has > 0.5 goal • The same event became different when… – A wins + A wins with > 0.5 goals! (added parameter)
  • 22. Validation bypass using errors • An empty catch block in the main validation function • Validation was bypassed when: – stringVal=NotANumberValue!
  • 23. My automated testing approach • Change more than 1 parameter at a time! – Increase the testing time • Check every step when there are several • Use a smart fuzzing approach • Example: – Change odds/lines/price to an arbitrary value – Change other parameters until it is successful
  • 24. What can go wrong during a test? • Permissions (3rd parties might be involved) – Make sure you are authorised before doing this • Having access to all payment methods • Having access to all functions / features – Region is important – Account type, luck, promotions, … • Auto account disabling mechanism • Refunding money or returning goods
  • 25. Have a testing methodology • Bug bounty hunters can lose real money
  • 26. To developers • Keep it simple & remove unnecessary features • Appropriate server-side validation – Parameters – State • Verify a processed payment – Paid amount & currency matches the order • Appropriate error handling • Secure cryptography • Review the logic • Get it tested!
  • 27. To system owners • Monitor users and players – Who is regularly winning from what games – Who is regularly having items without paying • Get real-time alerts on: – Payment errors – Unusual high number of money transfer – High number of small bets to detect testing • Get the payment & gambling apps tested
  • 29. A free recipe • Attend an OWASP chapter meeting!!! • Encourage someone to pay for you • Work for the pizza shop • Use valid loyalty points (not free?) • Steal it?! (a bad option, don’t do this) • Or buy it online for free! (just kidding) – An officer may deliver the dip for you!