Parameter Tampering Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a.
Download ReportTranscript Parameter Tampering Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a.
Slide 1
Parameter Tampering
Slide 2
Attacking the Ecommerce Shopping Cart
In the above image we see that a user who wants to purchase a Television visits an online
Store that allows him to buy the TV by giving in the details.
Slide 3
Tamper Data
An attacker who wants to exploit this option of buying a product from an online portal,
would use various tools or browser extensions such as Tamper Data to meddle around with
the Inputs and to take advantage of the vulnerability at the Online Portal Side.
Slide 4
Start to Capture the Request & Responses
Here before interacting with the web application in buying the product, the attacker would
switch on the Tamper Data.
Slide 5
Tampering
Once the attacker clicks on the Purchase button, that is when the Request is being sent to the
Server, the Tamper Data starts capturing the Request and prompts a dialogue box to ask the
attacker to whether tamper the data or abort the request.
Slide 6
The Request and the Responses
And after that is done, the Tamper Data starts to capture all the Requests and the Responses
that is sent and received.
This allows the attacker to change the parameter values and hence forth take an advantage
of the vulnerability.
Slide 7
Tampering the Price
Slide 8
The Result Page
The Result of this would be that the attacker would be able to buy the Product for any price that
he would want to buy for or even without paying anything.
Slide 9
Mitigations
Preventing such an attack for an Online Portal is really necessary.
The application should be designed in such a way that it uses one session token to reference
properties stored in the server-side cache. When the application needs to check the user
property, it check the session cookie with its session table and points to the database. This is
better compared to the use of Hidden Form Fields in the application that an attacker can misuse.
Slide 10
Online transactions
Slide 11
Keylogging
Keystroke logging, often referred to as keylogging or Keyboard
Capturing, is the action of recording (or logging) the keys struck on
a keyboard, typically in a covert manner so that the person using
the keyboard is unaware that their actions are being monitored.
Slide 12
Demo
Keylogger is able to run and intercept the password even though
an up to date antivirus and firewall are running in the system.
Slide 13
Slide 14
Slide 15
Anti Keylogger
Keystroke encryption is a method that prevents keyloggers from
working by encrypting the keystorkes sent by the usersuch that the
keylogger will not be able to hook into it.
Slide 16
Slide 17
Mouse Loggers
Mouse Loggers were developed by malware writes to defeat virtual
keyboards by banks.
They monitor mouse clicks and grab a screenshot of the mouse
location.
Slide 18
Demo
Slide 19
Man In the Browser
The Man-in-the-Browser attack is the same approach as Man-in-themiddle attack, but in this case a Trojan Horse is used to intercept
and manipulate calls between the main application’s executable
(ex: the browser) and its security mechanisms or libraries on-the-fly. OWASP
Slide 20
Zeus
Also known as Zbot
First Identified in July 2007
One of the most famous piece of banking malware.
Used by many cyber criminals of Eastern European origin.
Money Mules used to transfer money.
Slide 21
Defeating OTP
Banking malware are getting more sophisticated.
Mobile malware is delivered by modifying the bank website such
that it suggests the user to download and install the “bank app”.
Malware in the computer cooperates with the malware on the
phone.
The malware in the phone intercepts the OTP password and
helps the attacker bypass OTP.
Slide 22
Normal Page
Slide 23
Slide 24
Injected Page 1
Slide 25
Slide 26
Injected Page 2
Slide 27
Slide 28
Performing a secure net
banking transaction
Slide 29
Secure Net Banking Transaction.
1. After the user logs the following details are stored
in the users cookie.
URL ID
IP address of User
Slide 30
Secure Net Banking Transaction.
2.When a payment is being made, the user selects the
“receiver” of the transaction, then the web
application then fixes the “receiver” to that
transaction instance , so any tampering on the user
side will not be of any affect the transaction.
Slide 31
Secure Net Banking Transaction.
3.Before the transaction is conformed the website
sends an OTP message to the user along with the
“receiver” name and the transfer amount, then that
OTP is fixed for that exact transaction amount and
that user.
Parameter Tampering
Slide 2
Attacking the Ecommerce Shopping Cart
In the above image we see that a user who wants to purchase a Television visits an online
Store that allows him to buy the TV by giving in the details.
Slide 3
Tamper Data
An attacker who wants to exploit this option of buying a product from an online portal,
would use various tools or browser extensions such as Tamper Data to meddle around with
the Inputs and to take advantage of the vulnerability at the Online Portal Side.
Slide 4
Start to Capture the Request & Responses
Here before interacting with the web application in buying the product, the attacker would
switch on the Tamper Data.
Slide 5
Tampering
Once the attacker clicks on the Purchase button, that is when the Request is being sent to the
Server, the Tamper Data starts capturing the Request and prompts a dialogue box to ask the
attacker to whether tamper the data or abort the request.
Slide 6
The Request and the Responses
And after that is done, the Tamper Data starts to capture all the Requests and the Responses
that is sent and received.
This allows the attacker to change the parameter values and hence forth take an advantage
of the vulnerability.
Slide 7
Tampering the Price
Slide 8
The Result Page
The Result of this would be that the attacker would be able to buy the Product for any price that
he would want to buy for or even without paying anything.
Slide 9
Mitigations
Preventing such an attack for an Online Portal is really necessary.
The application should be designed in such a way that it uses one session token to reference
properties stored in the server-side cache. When the application needs to check the user
property, it check the session cookie with its session table and points to the database. This is
better compared to the use of Hidden Form Fields in the application that an attacker can misuse.
Slide 10
Online transactions
Slide 11
Keylogging
Keystroke logging, often referred to as keylogging or Keyboard
Capturing, is the action of recording (or logging) the keys struck on
a keyboard, typically in a covert manner so that the person using
the keyboard is unaware that their actions are being monitored.
Slide 12
Demo
Keylogger is able to run and intercept the password even though
an up to date antivirus and firewall are running in the system.
Slide 13
Slide 14
Slide 15
Anti Keylogger
Keystroke encryption is a method that prevents keyloggers from
working by encrypting the keystorkes sent by the usersuch that the
keylogger will not be able to hook into it.
Slide 16
Slide 17
Mouse Loggers
Mouse Loggers were developed by malware writes to defeat virtual
keyboards by banks.
They monitor mouse clicks and grab a screenshot of the mouse
location.
Slide 18
Demo
Slide 19
Man In the Browser
The Man-in-the-Browser attack is the same approach as Man-in-themiddle attack, but in this case a Trojan Horse is used to intercept
and manipulate calls between the main application’s executable
(ex: the browser) and its security mechanisms or libraries on-the-fly. OWASP
Slide 20
Zeus
Also known as Zbot
First Identified in July 2007
One of the most famous piece of banking malware.
Used by many cyber criminals of Eastern European origin.
Money Mules used to transfer money.
Slide 21
Defeating OTP
Banking malware are getting more sophisticated.
Mobile malware is delivered by modifying the bank website such
that it suggests the user to download and install the “bank app”.
Malware in the computer cooperates with the malware on the
phone.
The malware in the phone intercepts the OTP password and
helps the attacker bypass OTP.
Slide 22
Normal Page
Slide 23
Slide 24
Injected Page 1
Slide 25
Slide 26
Injected Page 2
Slide 27
Slide 28
Performing a secure net
banking transaction
Slide 29
Secure Net Banking Transaction.
1. After the user logs the following details are stored
in the users cookie.
URL ID
IP address of User
Slide 30
Secure Net Banking Transaction.
2.When a payment is being made, the user selects the
“receiver” of the transaction, then the web
application then fixes the “receiver” to that
transaction instance , so any tampering on the user
side will not be of any affect the transaction.
Slide 31
Secure Net Banking Transaction.
3.Before the transaction is conformed the website
sends an OTP message to the user along with the
“receiver” name and the transfer amount, then that
OTP is fixed for that exact transaction amount and
that user.