Professional Documents
Culture Documents
By Fabrice A. Marie
fabrice.marie@fma-rms.com
http://www.fma-rms.com/
Goal of this presentation
2
Hacking Internet Banking Applications HITB 2005 FMA RMS
Table of Contents
1. Introduction
2. Attacks: Usual suspects
3. Corporate espionage: loss of confidentiality
4. Interesting attacks: Outright fraud
5. Internal frauds
6. Third-party Internet Banking application procurement
7. Conclusions
3
Hacking Internet Banking Applications HITB 2005 FMA RMS
1. Introduction
4
Hacking Internet Banking Applications HITB 2005 FMA RMS
Banking Application Architecture
Java J2EE
• WebLogic from BEA
• WebSphere from IBM
• Sun One Application Server from Sun
• Pros and Cons:
Development done in Java exclusively.
Platform independent.
Application servers are certified J2EE.
Unfortunately all of them offer their unique “better” features.
These “better” unique features are not standard.
Not easy to migrate from one J2EE app server to another.
6
Hacking Internet Banking Applications HITB 2005 FMA RMS
Common Technologies - continued
Microsoft .Net
• Pros and Cons
Development done in a myriad of .Net Languages.
Very simple to shoot yourself in the foot.
Documentation widely available but somewhat hard to search through.
The whole solution supporting the application developed by one
consistent software provider: Microsoft
.NET application run almost exclusively on Microsoft platform.
Mono (http://www.mono-project.com/) is working, but no financial
application developed for it yet.
7
Hacking Internet Banking Applications HITB 2005 FMA RMS
What is Usually Good
Æ That’s all !
8
Hacking Internet Banking Applications HITB 2005 FMA RMS
What is usually NOT good
Æ That’s all !
11
Hacking Internet Banking Applications HITB 2005 FMA RMS
Tools used
Bank Network
Internet
13
Hacking Internet Banking Applications HITB 2005 FMA RMS
Tools used – e.g. burp proxy
14
Hacking Internet Banking Applications HITB 2005 FMA RMS
2. Attacks: Usual Suspects
15
Hacking Internet Banking Applications HITB 2005 FMA RMS
Cross Site Scripting (XSS)
17
Hacking Internet Banking Applications HITB 2005 FMA RMS
Buffer Overflow
18
Hacking Internet Banking Applications HITB 2005 FMA RMS
Weak Scripts
19
Hacking Internet Banking Applications HITB 2005 FMA RMS
Denial of Service (DoS)
20
Hacking Internet Banking Applications HITB 2005 FMA RMS
Denial of Service (DoS) – continued
Recursive operation
• The script is supposed to call another script
• But attacker tricked it to call itself
Æ use up all the threads of the server
Æ Extremely effective way to DoS an application
21
Hacking Internet Banking Applications HITB 2005 FMA RMS
Denial of Service (DoS) – continued
Blocking operation
• The script is supposed to read a file or a socket and return data
• But attacker tricked it to read a special blocking file
Æ use up all the threads of the server
Buffer overflow
• The operation expects a buffer of a certain size
• But attacker overflowed the buffers
Æ the thread (or the app server) get killed by the OS.
22
Hacking Internet Banking Applications HITB 2005 FMA RMS
Corporate Espionage – Loss of Confidentiality
23
Hacking Internet Banking Applications HITB 2005 FMA RMS
Introduction to “read” logic flaws
24
Hacking Internet Banking Applications HITB 2005 FMA RMS
Introduction to “read” logic flaws (cont’d)
If all the parameters for the request are passed to the script
from the client’s browser, then bingo !!
• You can modify all the parameters.
• Therefore you can ask for anything as long as the application
does not check
APPLICATIONS DO NOT CHECK !!!!
25
Hacking Internet Banking Applications HITB 2005 FMA RMS
Introduction to “read” logic flaws (cont’d)
26
Hacking Internet Banking Applications HITB 2005 FMA RMS
Spying on Competitor’s Transaction History
View
View Transaction History
Transaction
History
Account
Of account: Thief
Thief
Account
Thief View
Transaction
Ac
co
History
un
t
Of account: Victim
Thief Victim
27
Hacking Internet Banking Applications HITB 2005 FMA RMS
Spying on Competitor’s Bill Payments
View Bill
View Bill Payment Payment Info
Of user: Thief
Bill_ID
Bill_ID: Thief’s bill
Thief
Thief Victim
28
Hacking Internet Banking Applications HITB 2005 FMA RMS
Spying on Competitor’s Banking Messages
View Banking
View Banking Message
Message
Msg_ID: Thief’s message
Msg_ID
Thief
Thief
View Banking
M
sg
Message
_I
D Msg_ID: Victim’s message
Thief Victim
29
Hacking Internet Banking Applications HITB 2005 FMA RMS
Spying on VIP or Competitor Credit Card Bills
CC_Num
CC_Num: Thief’s card
Thief
Thief
View Credit Card
CC
Info
_N
um
CC_Num: Victim’s card
Thief Victim
30
Hacking Internet Banking Applications HITB 2005 FMA RMS
Protection against “read” logic flaws
32
Hacking Internet Banking Applications HITB 2005 FMA RMS
Introduction to “write” logic flaws
33
Hacking Internet Banking Applications HITB 2005 FMA RMS
Stealing Money Using Fund Transfer
Functionality
On the web interface:
Fund transfer
From: Thief
Fund Transfer $$$ To: Thief Accomplice
Thief Thief Accomplice
Thief Victim
34
Hacking Internet Banking Applications HITB 2005 FMA RMS
Stealing Money Using Cashier Order
Functionality
On the web interface:
Purchase
Purchase Cashier Order Cashier order
For: Thief
From account: Thief
Thief
Thief Purchase
Cashier order
For: Thief
From account: Victim
Thief Victim
35
Hacking Internet Banking Applications HITB 2005 FMA RMS
Buying Shares at a Discounted Price
Share
Price
Number of units: 100
Thief Price per unit: $10
Share
Price
Purchase
Thief
Shares
Shares for: Thief
Paid by: Thief
Lower Share Price
Thief
36
Hacking Internet Banking Applications HITB 2005 FMA RMS
Buying Shares for Free
Purchase
Pay for shares Shares
Shares for: Thief
Paid by: Thief
Thief
Thief Victim
37
Hacking Internet Banking Applications HITB 2005 FMA RMS
Avoiding Various Transaction Fees
Perform transaction
Funds from: Thief
Fees from: Thief
Pay transaction fees
Thief
Perform transaction
Thief
Pay fees
Funds from: Thief
Fees from: Victim
Thief Victim
38
Hacking Internet Banking Applications HITB 2005 FMA RMS
Purchasing Insurance for Free
$ $
Give credit Give credit
ca rd details card details
Thief Thief
m be r n num
be r
on nu a c tio
Tr a nsacti Payment Gateway
Trans
Payment Gateway
$ $
Transactio Transactio
n Number n N u m be r
Thief Thief
rc ha sed rchase
d
n ce Pu ce Pu
Insura Bank In s uran Bank
Thief Thief
39
Hacking Internet Banking Applications HITB 2005 FMA RMS
Changing Victim’s Payee Information
42
Hacking Internet Banking Applications HITB 2005 FMA RMS
Running Back End Commands
on the Front End
Back End is the administrative interface of the bank
To carry out the attack we need:
Initial access to the back end to learn how it works
• Ex-employee
ly
ke
• Or a design mistake
U
43
Hacking Internet Banking Applications HITB 2005 FMA RMS
Bypassing Roles on the Back End
44
Hacking Internet Banking Applications HITB 2005 FMA RMS
Bypassing Authoritative Boundaries
45
Hacking Internet Banking Applications HITB 2005 FMA RMS
Masquerading as a Customer
47
Hacking Internet Banking Applications HITB 2005 FMA RMS
Politics Involved
!
• You have to pay for enhancements.
ED
N
R
They won’t fix the application properly
A
W
N
EE
• Too costly to fix all the problems
B
VE
• Big time-to-market pressure.
A
H
U
YO
49
Hacking Internet Banking Applications HITB 2005 FMA RMS
Role of Internal Security Staff
50
Hacking Internet Banking Applications HITB 2005 FMA RMS
Very Explicit Security Specifications
List in details the security flaws that the vendor is forced to fix
without any additional fee:
• SQL injections
E
• Buffer overflows
H
! ST
• Cross site scripting
ER I
M O
O H
ST W
• Privilege escalation
U M
C HE
• Unauthorized money transfers
T
W
O
• Unauthorized charges
SH
• Unauthorized access to data
• …
52
Hacking Internet Banking Applications HITB 2005 FMA RMS
Fair Contract
!
Negotiate so that the vendor pays for any additional security
ER
K
re-check
C
SU
A
• will ensure they treat security seriously.
E
B
’T
• will motivate them to do it right from the start.
N
O
D
53
Hacking Internet Banking Applications HITB 2005 FMA RMS
Conclusion – Some Statistics
54
Hacking Internet Banking Applications HITB 2005 FMA RMS
Statistics – continued
9% 26%
9%
11%
25%
11%
55
Hacking Internet Banking Applications HITB 2005 FMA RMS
Statistics – continued
37%
44%
Low
Medium
High
19%
57
Hacking Internet Banking Applications HITB 2005 FMA RMS
Questions and Answers
FMA RMS
Hacking Internet Banking Applications
58
HITB 2005
fabrice.marie@fma-rms.com
http://www.fma-rms.com/
FMA RMS
Thank You!
FMA RMS
Hacking Internet Banking Applications
59
HITB 2005
fabrice.marie@fma-rms.com
http://www.fma-rms.com/
FMA RMS