Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

4,444 views

Published on

I am going to review a number of interesting flaws that I have seen within the payment systems and gambling games. This includes examples that allowed me to win big while I was gambling very responsibly as well as simple methods that brought me free goods such as expensive books that I really didn't need, fake moustaches, or even caskets for my fake funeral!

Disclaimer: all issues were reported responsibly to the companies and no moustache or slot machine was harmed in this process! I am not going to name any companies during this presentation.

Published in: Internet
  • 80% Win Rate? It's Not a BUG? [Proof Inside] ♣♣♣ http://ishbv.com/zcodesys/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Tired of being scammed? Take advantage of a program that, actually makes you money! ◆◆◆ http://ishbv.com/ezpayjobs/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

  1. 1. How to win BIG! Several Interesting Examples of Exploiting Financial & Gambling Apps by Soroush Dalili - OWASP Birmingham, UK - March 2019
  2. 2. whoami? • Soroush Dalili • Principal security consultant @ NCC Group • Web application tester / researcher • Twitter: @irsdl • Personal blog: https://soroush.me/ • Work email: soroush.dalili[at]nccgroup{dot}com
  3. 3. What’s going on here? HACKERS GONNA CHEAT WHILST PLAYING
  4. 4. What could I buy?!
  5. 5. Main references • Based on identified issues in real websites – Easy examples (!=comprehensive, !=all findings) • This whitepaper: https://www.nccgroup.trust/uk/our-research/common- security-issues-in-financially-orientated-web-applications/ • NCC Group’s gambling game testing methodology – Internal but similar to the published whitepaper above
  6. 6. Price manipulation • Super easy but might be hard to find! • Example: – Target had multi-step checkout process – A separate API to interact with payment gateways – Accepted encrypted amount value without any checks – Exploited by replaying price of a cheaper item
  7. 7. What else can be changed? • Anything that can change the price! – Delivery option, quantity, discount, VAT code, buyer’s region, special events, currency, etc. • Look for references and encrypted values too • All payment methods should be tested separately
  8. 8. Payment bypass, for real! • Parameter manipulation: – In payment processors (esp. when it’s internal) – In return pages from payment gateways • Examples: – Removing a reference parameter – Modifying the payment method in return
  9. 9. Order update when paying • Classic ToCToU, easy to test and find! 1. Add a cheap item to the basket 2. Go to the payment page in tab 1 3. Open the basket in tab 2 4. Update your order • new items, quantity, postage, etc. 5. Continue with the payment process in tab 1 6. You pay for the cheap item but you may get them all
  10. 10. Order update after paying! • To add more items or change a confirmed order, insurance quote, or an invoice • When order status is not checked properly • Example: – The cheapest car insurance was purchased • Using invalid details such as NCB, Vehicle model, etc. – It was updated by changing & replaying a request • Insurance ID in header & body (repeated) • The IID in the header was replaced with a fresh ID • Validation bypassed, insurance certificate was updated!
  11. 11. Abusing free samples or gifts… • Buy item A to also get item B for free • Free items can be purchased separately • Exploited by changing quantity of free items!
  12. 12. Race conditions • Example 1: Money transfer – Works even better when there are multiple accounts – Creates money out of thin air!
  13. 13. Race conditions • Example 2: One time promotion codes
  14. 14. Abusing concatenation in signature • Signature = SHA1(secret + … + reference + amount) – “reference”  string, “amount”  number • Hash length extension – Example tools: Hash Extender, HashPump – But, No delimiters between parameters! – …&reference=abcd&amount=89 – …&reference=abcd8&amount=9 – …&reference=abcd89%80%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%f0&amount=1
  15. 15. Gambling games’ bugs… • Games are used by multiple sites – 1 bug x 20 websites x £50 per week = £1000 pw – Can go undetected for a while * Images have been selected by searching in Google and do not represent the actual vulnerable games/apps!
  16. 16. Gambling apps’ problems • Insufficient validation • Logical bugs and state confusion • Know your system – Different bet types – Different features in different sports – Different games from the same vendor – Hidden games’ features – Free bets, bonuses, promotions, …
  17. 17. Reversing a game – Shocking! • In a Top Trumps game, result was inversed: – When a negative stake was provided! – Very simple odds manipulation – e.g. look at YoB:
  18. 18. Why using the expensive RNG machine • RNG was not used for free games (why not?!) • Selectable cards were also sent • Unintentionally supported in real games too • Server forced to always choose a specific card • I could win every single time!
  19. 19. More lovely unnecessary feature • A slot machine with 20 lines: – Lines parameter was like this (selecting 15 lines): • Lines=1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0 – Accepting any number other than 0 or 1 (why?!) – 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,-19 • Paying for 1 line, normal prize was small • But, the bonus prize was based on 20 lines so:
  20. 20. Godsend Bingo tickets… • Imagine a Bingo game • Every 4 tickets, I got 1 free ticket • Pay with points parameter was set to “false” • Did not work without points… • “true” multiple times following by a “false” – Several free tickets added to my only ticket! – Could make me rich!
  21. 21. Know the logic, multi-bets FTW! • Multi-bets  better odds • Team A vs Team B, Players should not be able to: – Choose duplicate events/fixtures • A wins + A wins – Choose related events/fixtures • A wins + B loses + Game has > 0.5 goal • The same event became different when… – A wins + A wins with > 0.5 goals! (added parameter)
  22. 22. Validation bypass using errors • An empty catch block in the main validation function • Validation was bypassed when: – stringVal=NotANumberValue!
  23. 23. My automated testing approach • Change more than 1 parameter at a time! – Increase the testing time • Check every step when there are several • Use a smart fuzzing approach • Example: – Change odds/lines/price to an arbitrary value – Change other parameters until it is successful
  24. 24. What can go wrong during a test? • Permissions (3rd parties might be involved) – Make sure you are authorised before doing this • Having access to all payment methods • Having access to all functions / features – Region is important – Account type, luck, promotions, … • Auto account disabling mechanism • Refunding money or returning goods
  25. 25. Have a testing methodology • Bug bounty hunters can lose real money
  26. 26. To developers • Keep it simple & remove unnecessary features • Appropriate server-side validation – Parameters – State • Verify a processed payment – Paid amount & currency matches the order • Appropriate error handling • Secure cryptography • Review the logic • Get it tested!
  27. 27. To system owners • Monitor users and players – Who is regularly winning from what games – Who is regularly having items without paying • Get real-time alerts on: – Payment errors – Unusual high number of money transfer – High number of small bets to detect testing • Get the payment & gambling apps tested
  28. 28. Thanks, any questions?
  29. 29. A free recipe • Attend an OWASP chapter meeting!!! • Encourage someone to pay for you • Work for the pizza shop • Use valid loyalty points (not free?) • Steal it?! (a bad option, don’t do this) • Or buy it online for free! (just kidding) – An officer may deliver the dip for you!

×