Presentation is loading. Please wait.

Presentation is loading. Please wait.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Similar presentations


Presentation on theme: "Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store."— Presentation transcript:

1 Parameter Tampering

2 Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store that allows him to buy the TV by giving in the details.

3 Tamper Data An attacker who wants to exploit this option of buying a product from an online portal, would use various tools or browser extensions such as Tamper Data to meddle around with the Inputs and to take advantage of the vulnerability at the Online Portal Side.

4 Start to Capture the Request & Responses  Here before interacting with the web application in buying the product, the attacker would switch on the Tamper Data.

5 Tampering Once the attacker clicks on the Purchase button, that is when the Request is being sent to the Server, the Tamper Data starts capturing the Request and prompts a dialogue box to ask the attacker to whether tamper the data or abort the request.

6 The Request and the Responses  And after that is done, the Tamper Data starts to capture all the Requests and the Responses that is sent and received.  This allows the attacker to change the parameter values and hence forth take an advantage of the vulnerability.  And after that is done, the Tamper Data starts to capture all the Requests and the Responses that is sent and received.  This allows the attacker to change the parameter values and hence forth take an advantage of the vulnerability.

7 Tampering the Price

8 The Result Page The Result of this would be that the attacker would be able to buy the Product for any price that he would want to buy for or even without paying anything.

9 Mitigations Preventing such an attack for an Online Portal is really necessary.  The application should be designed in such a way that it uses one session token to reference properties stored in the server-side cache. When the application needs to check the user property, it check the session cookie with its session table and points to the database. This is better compared to the use of Hidden Form Fields in the application that an attacker can misuse. Preventing such an attack for an Online Portal is really necessary.  The application should be designed in such a way that it uses one session token to reference properties stored in the server-side cache. When the application needs to check the user property, it check the session cookie with its session table and points to the database. This is better compared to the use of Hidden Form Fields in the application that an attacker can misuse.

10 Online transactions

11 Keylogging Keystroke logging, often referred to as keylogging or Keyboard Capturing, is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.

12 Demo  Keylogger is able to run and intercept the password even though an up to date antivirus and firewall are running in the system.

13

14

15 Anti Keylogger  Keystroke encryption is a method that prevents keyloggers from working by encrypting the keystorkes sent by the usersuch that the keylogger will not be able to hook into it.

16

17 Mouse Loggers  Mouse Loggers were developed by malware writes to defeat virtual keyboards by banks.  They monitor mouse clicks and grab a screenshot of the mouse location.  Mouse Loggers were developed by malware writes to defeat virtual keyboards by banks.  They monitor mouse clicks and grab a screenshot of the mouse location.

18 Demo

19 Man In the Browser The Man-in-the-Browser attack is the same approach as Man-in-the- middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly. - OWASP

20 Zeus  Also known as Zbot  First Identified in July 2007  One of the most famous piece of banking malware.  Used by many cyber criminals of Eastern European origin.  Money Mules used to transfer money.  Also known as Zbot  First Identified in July 2007  One of the most famous piece of banking malware.  Used by many cyber criminals of Eastern European origin.  Money Mules used to transfer money.

21 Defeating OTP  Banking malware are getting more sophisticated.  Mobile malware is delivered by modifying the bank website such that it suggests the user to download and install the “bank app”.  Malware in the computer cooperates with the malware on the phone.  The malware in the phone intercepts the OTP password and helps the attacker bypass OTP.  Banking malware are getting more sophisticated.  Mobile malware is delivered by modifying the bank website such that it suggests the user to download and install the “bank app”.  Malware in the computer cooperates with the malware on the phone.  The malware in the phone intercepts the OTP password and helps the attacker bypass OTP.

22 Normal Page

23

24 Injected Page 1

25

26 Injected Page 2

27

28 Performing a secure net banking transaction

29 1.After the user logs the following details are stored in the users cookie.  URL ID  IP address of User 1.After the user logs the following details are stored in the users cookie.  URL ID  IP address of User Secure Net Banking Transaction.

30 2.When a payment is being made, the user selects the “receiver” of the transaction, then the web application then fixes the “receiver” to that transaction instance, so any tampering on the user side will not be of any affect the transaction.

31 3.Before the transaction is conformed the website sends an OTP message to the user along with the “receiver” name and the transfer amount, then that OTP is fixed for that exact transaction amount and that user. Secure Net Banking Transaction.


Download ppt "Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store."

Similar presentations


Ads by Google