Upload
rigoberto-arrasmith
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Parameter Tampering
Attacking the Ecommerce Shopping Cart
In the above image we see that a user who wants to purchase a Television visits an online Store that allows him to buy the TV by giving in the details.
Tamper Data
An attacker who wants to exploit this option of buying a product from an online portal, would use various tools or browser extensions such as Tamper Data to meddle around with the Inputs and to take advantage of the vulnerability at the Online Portal Side.
Start to Capture the Request & Responses
Here before interacting with the web application in buying the product, the attacker would switch on the Tamper Data.
Tampering
Once the attacker clicks on the Purchase button, that is when the Request is being sent to the Server, the Tamper Data starts capturing the Request and prompts a dialogue box to ask the attacker to whether tamper the data or abort the request.
The Request and the Responses
And after that is done, the Tamper Data starts to capture all the Requests and the Responses that is sent and received.
This allows the attacker to change the parameter values and hence forth take an advantage of the vulnerability.
Tampering the Price
The Result Page
The Result of this would be that the attacker would be able to buy the Product for any price that he would want to buy for or even without paying anything.
Mitigations
Preventing such an attack for an Online Portal is really necessary.
The application should be designed in such a way that it uses one session token to reference properties stored in the server-side cache. When the application needs to check the user property, it check the session cookie with its session table and points to the database. This is better compared to the use of Hidden Form Fields in the application that an attacker can misuse.
Online transactions
Keylogging
Keystroke logging, often referred to as keylogging or Keyboard Capturing, is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
Demo
Keylogger is able to run and intercept the password even though an up to date antivirus and firewall are running in the system.
Anti Keylogger
Keystroke encryption is a method that prevents keyloggers from working by encrypting the keystorkes sent by the usersuch that the keylogger will not be able to hook into it.
Mouse Loggers
Mouse Loggers were developed by malware writes to defeat virtual keyboards by banks.
They monitor mouse clicks and grab a screenshot of the mouse location.
Demo
Man In the Browser
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly. -OWASP
Zeus
Also known as Zbot
First Identified in July 2007
One of the most famous piece of banking malware.
Used by many cyber criminals of Eastern European origin.
Money Mules used to transfer money.
Defeating OTP
Banking malware are getting more sophisticated.Mobile malware is delivered by modifying the bank website
such that it suggests the user to download and install the “bank app”.
Malware in the computer cooperates with the malware on the phone.
The malware in the phone intercepts the OTP password and helps the attacker bypass OTP.
Normal Page
Injected Page 1
Injected Page 2
Performing a secure net banking transaction
1. After the user logs the following details are stored in the users cookie.
URL ID
IP address of User
Secure Net Banking Transaction.
Secure Net Banking Transaction.
2.When a payment is being made, the user selects the “receiver” of the transaction, then the web application then fixes the “receiver” to that transaction instance , so any tampering on the user side will not be of any affect the transaction.
3.Before the transaction is conformed the website sends an OTP message to the user along with the “receiver” name and the transfer amount, then that OTP is fixed for that exact transaction amount and that user.
Secure Net Banking Transaction.