• Home

  • Documents

  • Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who...
31
Parameter Tampering

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Tags:

Embed Size (px)

Citation preview

Page 1: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Parameter Tampering

Page 2: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Attacking the Ecommerce Shopping Cart

In the above image we see that a user who wants to purchase a Television visits an online Store that allows him to buy the TV by giving in the details.

Page 3: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Tamper Data

An attacker who wants to exploit this option of buying a product from an online portal, would use various tools or browser extensions such as Tamper Data to meddle around with the Inputs and to take advantage of the vulnerability at the Online Portal Side.

Page 4: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Start to Capture the Request & Responses

Here before interacting with the web application in buying the product, the attacker would switch on the Tamper Data.

Page 5: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Tampering

Once the attacker clicks on the Purchase button, that is when the Request is being sent to the Server, the Tamper Data starts capturing the Request and prompts a dialogue box to ask the attacker to whether tamper the data or abort the request.

Page 6: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

The Request and the Responses

And after that is done, the Tamper Data starts to capture all the Requests and the Responses that is sent and received.

This allows the attacker to change the parameter values and hence forth take an advantage of the vulnerability.

Page 7: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Tampering the Price

Page 8: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

The Result Page

The Result of this would be that the attacker would be able to buy the Product for any price that he would want to buy for or even without paying anything.

Page 9: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Mitigations

Preventing such an attack for an Online Portal is really necessary.

The application should be designed in such a way that it uses one session token to reference properties stored in the server-side cache. When the application needs to check the user property, it check the session cookie with its session table and points to the database. This is better compared to the use of Hidden Form Fields in the application that an attacker can misuse.

Page 10: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Online transactions

Page 11: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Keylogging

Keystroke logging, often referred to as keylogging or Keyboard Capturing, is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.

Page 12: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Demo

Keylogger is able to run and intercept the password even though an up to date antivirus and firewall are running in the system.

Page 13: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store
Page 14: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store
Page 15: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Anti Keylogger

Keystroke encryption is a method that prevents keyloggers from working by encrypting the keystorkes sent by the usersuch that the keylogger will not be able to hook into it.

Page 16: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store
Page 17: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Mouse Loggers

Mouse Loggers were developed by malware writes to defeat virtual keyboards by banks.

They monitor mouse clicks and grab a screenshot of the mouse location.

Page 18: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Demo

Page 19: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Man In the Browser

The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly. -OWASP

Page 20: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Zeus

Also known as Zbot

First Identified in July 2007

One of the most famous piece of banking malware.

Used by many cyber criminals of Eastern European origin.

Money Mules used to transfer money.

Page 21: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Defeating OTP

Banking malware are getting more sophisticated.Mobile malware is delivered by modifying the bank website

such that it suggests the user to download and install the “bank app”.

Malware in the computer cooperates with the malware on the phone.

The malware in the phone intercepts the OTP password and helps the attacker bypass OTP.

Page 22: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Normal Page

Page 23: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store
Page 24: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Injected Page 1

Page 25: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store
Page 26: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Injected Page 2

Page 27: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store
Page 28: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Performing a secure net banking transaction

Page 29: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

1. After the user logs the following details are stored in the users cookie.

URL ID

IP address of User

Secure Net Banking Transaction.

Page 30: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

Secure Net Banking Transaction.

2.When a payment is being made, the user selects the “receiver” of the transaction, then the web application then fixes the “receiver” to that transaction instance , so any tampering on the user side will not be of any affect the transaction.

Page 31: Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store

3.Before the transaction is conformed the website sends an OTP message to the user along with the “receiver” name and the transfer amount, then that OTP is fixed for that exact transaction amount and that user.

Secure Net Banking Transaction.


20 ATTACKING DRILLS - Association de soccer de - · PDF file20 ATTACKING DRILLS ... 20 Soccer Attacking Drills ... speed. 20 ATTACKING DRILLS . 20 ATTACKING DRILLS

20 ATTACKING DRILLS - Association de soccer de - · PDF file20 ATTACKING DRILLS ... 20 Soccer Attacking Drills ... speed. 20 ATTACKING DRILLS . 20 ATTACKING DRILLS

Documents
1 Check Tampering Chapter 5. 2 Define check tampering. Understand the five principal categories of check tampering. Detail the means by which employees

1 Check Tampering Chapter 5. 2 Define check tampering. Understand the five principal categories of check tampering. Detail the means by which employees

Documents
ATTACKING SCENARIO

ATTACKING SCENARIO

Documents
NFL ANTI-TAMPERING POLICY Policies/2019 - Anti... · NFL Anti-Tampering Policy (2019-2020) 1. DEFINITION. The term tampering, as used within the National Football League, refers to

NFL ANTI-TAMPERING POLICY Policies/2019 - Anti... · NFL Anti-Tampering Policy (2019-2020) 1. DEFINITION. The term tampering, as used within the National Football League, refers to

Documents
Attacking WPS

Attacking WPS

Documents
Annabel Melongo Computer Tampering Trial Transcript

Annabel Melongo Computer Tampering Trial Transcript

Documents
Attacking Drupal

Attacking Drupal

Technology
ATTACKING AUTHENTICATION

ATTACKING AUTHENTICATION

Documents
Attacking voip

Attacking voip

Documents
Attacking BaseStations

Attacking BaseStations

Documents
Attacking HTML5

Attacking HTML5

Technology
Data Tampering Threats and Counter Measures

Data Tampering Threats and Counter Measures

Documents
Attacking soccer

Attacking soccer

Sports
Attacking Antivirus

Attacking Antivirus

Documents
Attacking Chess

Attacking Chess

Documents
Trade Secrets and Computer Tampering

Trade Secrets and Computer Tampering

Business
Forensic Analysis of Database Tampering

Forensic Analysis of Database Tampering

Documents
Attacking the Vista Heap - Lateral Security · • Introduced the “unlink” technique for ... Attacking the Application ... Attacking the Vista Heap

Attacking the Vista Heap - Lateral Security · • Introduced the “unlink” technique for ... Attacking the Application ... Attacking the Vista Heap

Documents
DNS Tampering and Root Servers - Renesys

DNS Tampering and Root Servers - Renesys

Documents
Check Tampering

Check Tampering

Documents
Attacking NFC

Attacking NFC

Documents
Tampering Detection on Digital Evidence for Forensics Purposes · Deteccióndemanipulacionesenevidenciadigitaldeimágenesconfinesforenses Tampering Detection on Digital Evidence

Tampering Detection on Digital Evidence for Forensics Purposes · Deteccióndemanipulacionesenevidenciadigitaldeimágenesconfinesforenses Tampering Detection on Digital Evidence

Documents
Strawberry tampering incident - Food Standards

Strawberry tampering incident - Food Standards

Documents
Tampering of Emission Control Systems - UNECE · Tampering of Air Emission Control Systems. Tampering. of emission control systems consists in. modifications. aiming to reduce operation

Tampering of Emission Control Systems - UNECE · Tampering of Air Emission Control Systems. Tampering. of emission control systems consists in. modifications. aiming to reduce operation

Documents
Medical Device Image Tampering - HHS.gov

Medical Device Image Tampering - HHS.gov

Documents
Forensic Analysis of Digital Image Tampering

Forensic Analysis of Digital Image Tampering

Documents
TAMPering with Research-

TAMPering with Research-

Documents
Urine Creatinine & Sample Tampering

Urine Creatinine & Sample Tampering

Documents
Detection of Metadata Tampering through Discrepancy ...morariu/publications/Chen... · image tampering. Most of the tampering detection tech-niques perform statistical analysis of

Detection of Metadata Tampering through Discrepancy ...morariu/publications/Chen... · image tampering. Most of the tampering detection tech-niques perform statistical analysis of

Documents
Attacking 3G

Attacking 3G

Documents