$NATCHSergey Scherbel& Yuriy DyachenkoPositive TechnologiesPositive Hack Days 2013
Some historyThe competition took place for the first time at PHDays 2012.$natch aims at demonstrating typical vulnerabilit...
Last year results― 9 participants― 4 winners― biggest prize of 3.500 roubles― Some winners got into positivecommunity aft...
PHDays iBank 2PHDays iBank 2 is NOT a real online banking system that isused by actual banks.System had been developed exc...
Competition rules― 100 bank clients― 10 participants― 20.000 roubles of prize money― 1 day for source code analysis― 30 – ...
At the workshop― You will be able to examine each vulnerability in detail― Exploit vulnerabilities by yourself― Exploit vu...
Accounts100001:PKAC1y100002:RNrlO9100003:Ndl1Ix100004:hQPuJw100005:kpgtCI
AuthentificationCode on the image needs to be entered
Mobile bank authentificationThe code is not needed, thus account bruteforce is possible
Accounts with simple passwords100011:password100012:phdays100013:qwerty100014:password100015:123456100016:12345100017:1111...
Transaction confirmation
Confirmation bypass in mobile bank
Payment templates modification
Payment templates modificationA template is not checked if it is owned by the current user
Payment templates modification$$
Payment templates modification$$
Contacts importMost online banks have a feature that allows to import/export data
XML External EntityExternal entities loading is not disabledhttp://php.net/libxml_disable_entity_loader
XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.b...
XML External EntityFile contents in base64
Debug mode
Thanks for your attentionSergey Scherbelsscherbel@ptsecurity.ruYuriy Dyachenkoydyachenko@ptsecurity.ru
Snatch2
Snatch2
Upcoming SlideShare
Loading in …5
×

Snatch2

295 views

Published on

Published in: Technology, Economy & Finance
  • Be the first to comment

  • Be the first to like this

Snatch2

  1. 1. $NATCHSergey Scherbel& Yuriy DyachenkoPositive TechnologiesPositive Hack Days 2013
  2. 2. Some historyThe competition took place for the first time at PHDays 2012.$natch aims at demonstrating typical vulnerabilities of theonline bank systems.Positive Technologies performs security tests of the online banksystems on the regular basis. We are really into this.The most interesting, dangerous and simply typicalvulnerabilities are integrated into PHDays iBank right away.
  3. 3. Last year results― 9 participants― 4 winners― biggest prize of 3.500 roubles― Some winners got into positivecommunity after an extremely scaryinterview of course
  4. 4. PHDays iBank 2PHDays iBank 2 is NOT a real online banking system that isused by actual banks.System had been developed exclusively for the PHDays 2013competition.PHDays iBank 2 employs typical vulnerabilities of the onlinebanking systems.
  5. 5. Competition rules― 100 bank clients― 10 participants― 20.000 roubles of prize money― 1 day for source code analysis― 30 – 40 minutes of the actual competition― a participant will get as much money as he will manage totransfer to his or her account― Participants can steal money from each other
  6. 6. At the workshop― You will be able to examine each vulnerability in detail― Exploit vulnerabilities by yourself― Exploit vulnerabilities with tools― All is done on a special copy of the competition system
  7. 7. Accounts100001:PKAC1y100002:RNrlO9100003:Ndl1Ix100004:hQPuJw100005:kpgtCI
  8. 8. AuthentificationCode on the image needs to be entered
  9. 9. Mobile bank authentificationThe code is not needed, thus account bruteforce is possible
  10. 10. Accounts with simple passwords100011:password100012:phdays100013:qwerty100014:password100015:123456100016:12345100017:11111100018:ninja100019:123123100020:sex100021:asdzxc100022:654321100023:iloveyou100024:root100025:master100026:superman...
  11. 11. Transaction confirmation
  12. 12. Confirmation bypass in mobile bank
  13. 13. Payment templates modification
  14. 14. Payment templates modificationA template is not checked if it is owned by the current user
  15. 15. Payment templates modification$$
  16. 16. Payment templates modification$$
  17. 17. Contacts importMost online banks have a feature that allows to import/export data
  18. 18. XML External EntityExternal entities loading is not disabledhttp://php.net/libxml_disable_entity_loader
  19. 19. XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-encode/resource=logs/changePassword.log">]><contacts><contact><name>name</name><account>90107430600712500003</account><description>&x;</description></contact></contacts>http://www.php.net/manual/en/wrappers.php.php
  20. 20. XML External EntityFile contents in base64
  21. 21. Debug mode
  22. 22. Thanks for your attentionSergey Scherbelsscherbel@ptsecurity.ruYuriy Dyachenkoydyachenko@ptsecurity.ru

×