The Pentester’s View on Blockchain Projects

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Lunker: The Advanced Phishing Framework

Name : Ahmed S. Eleyan No. : Teacher : Rasha Attalah Subject : Secure Your Data Date : 20 / 12 / 2010 College of Engineering.

Lecturer: Fadwa Tlaelan

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

C HAPTER 4 W EB H OSTING. I. I NTRODUCTION To make your Web site visible to the world, it has to be hosted on a Web server. In this tutorial we will teach.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Incident Response Updated 03/20/2015

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.

Feedback #2 (under assignments) Lecture Code:

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Web2.0 Secure Development Practice Bruce Xia

Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Don’t click on that! Kevin Hill.  Spam: Unwanted commercial ◦ Advertising ◦ Comes from people wanting to sell you stuff. ◦ Headers may be forged.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Javascript worms By Benjamin Mossé SecPro

Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.

Introduction to gathering and analyzing data via APIs Gus Cavanaugh

OVERVIEW S9k Self-Assessment System

Direct Deposit Phishing Attack

Chapter 7: Identifying Advanced Attacks

Simple Authentication for the Web

ISYM 540 Current Topics in Information System Management

Sessions and cookies (part 2)

Server Concepts Dr. Charles W. Kann.

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

E-commerce Application Security

Sarang Nazari California State University, Los Angeles

Introduction to Blockchain & Ethereum

DAO for penetration testers

Information Security 101 Richard Davis, Rob Laltrello.

Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Spoofing Basics Presentation developed by A.F.M Bakabillah Cyber Security and Networking Consultant MCSA: Messaging, MCSE RHCE ITIL CEH.

Cross-Site Request Forgeries: Exploitation and Prevention

How to Protect your Identity Online PIYUSH HARSH

How to sign up on Myetherwallet | Customer Support Number

Trezor Support Phone Number For You!! Round The Clock

Blockchain Helpline Number

Protect crypto exchange website from hackers

Bugs in the Blockchain and “Contractual” Vulnerability

UNIT 18 Data Security 1.

Riding Someone Else’s Wave with CSRF

Campbell R. Harvey Duke University and NBER

Kickoff Presentation Master’s Thesis: Identification of Programming Patterns in Solidity Franz Volland, 29th January 2018, Scientific advisor: Ulrich Gallersdörfer.

Agenda OAuth Concepts Programming OAuth.

Campbell R. Harvey Duke University and NBER

IPFS: Interplanetary File Systems

Swagatika (Jazz) Sarangi

Ethereum Virtual Machine

Analysing Vulnerabilities in Smart Contracts

Enterprise Class Security Scanner

Cross Site Request Forgery (CSRF)

Campbell R. Harvey Duke University and NBER

Presentation transcript:

The Pentester’s View on Blockchain Projects Pertsev Alexey @_p4lex

Agenda DApp? How does it work? Examples of vulnerable contracts The Pentester’s View on Blockchain Projects Agenda DApp? How does it work? Examples of vulnerable contracts Client-side vulnerabilities Digital Security ICO case Common attack vectors at ICO address changing Latest security incidents overview

DApp and DAO Browser Ethereum HTTP Requests Gateway Smart Contact The Pentester’s View on Blockchain Projects DApp and DAO Browser Ethereum HTTP Requests Gateway Smart Contact address = “0xdeadbeef…” Transaction Transaction ABI = [{“name”: “crowdsale”…}] Geth Parity cpp-Ethereum web3 object Call results, events…

Smart Contract’s Vulns/Attacks/Features The Pentester’s View on Blockchain Projects Smart Contract’s Vulns/Attacks/Features Blockchain specifics: Front-running attack Timestamp dependency Generating randomness Unpredictable state Keeping secrets Solidity specifics: Evolution of money sending: Reentrancy Gasless send DOS (due to exception disorders) Self-destruction Inheritance EVM specifics: Integer overflow (no exceptions) ABI encoding/decoding (no args checks) Short Address Attack Type confusion Uninitialized storage pointer Logical (project specifics): Name it yourself :)

Logical vulnerabilities The Pentester’s View on Blockchain Projects Logical vulnerabilities Forgotten access modifiers Misspelled identifications (variables, functions) Huge variety of race conditions Subject area specifics etc…

Logical vulnerabilities – DSec ICO The Pentester’s View on Blockchain Projects Logical vulnerabilities – DSec ICO

Logical – commit-reveal The Pentester’s View on Blockchain Projects Logical – commit-reveal Commision fee is up to a user, never from smart contract.

Then attacker can withdraw ether from Coinbase and repeat! The Pentester’s View on Blockchain Projects Ethereum account balance manipulation (Coinbase) 1 ETH + 1 ETH Wallet1 1 ETH + 1 ETH Attacker Smart Contract Coinbase Wallet2 1 ETH + 1 ETH Wallet3 4 ETH (Ethereum view) 1 ETH (Coinbase view) Then attacker can withdraw ether from Coinbase and repeat! Broken Smart Contract + 1 ETH Coinbase $10k bounty 0 ETH (Ethereum and Coinbase* view)

Client-side vulnerabilities and vectors The Pentester’s View on Blockchain Projects Client-side vulnerabilities and vectors Leaving blockchain aside, can I hack ICO without blockchain knowledge? XSS Phishing Site defacement + clipboard manipulation Social Engineering etc… And other vectors: Weak passwords for Social Network accounts (twitter, slack, FB, etc.) Hacking related infrastructure and pivoting

Blockchain-stored XSS The Pentester’s View on Blockchain Projects Blockchain-stored XSS Protection: Don’t trust user data! Always cast, validate, sanitize and escape (order is meaning!)

Phishing kickico $50k Hack Tree steps to phishing: Mitigations: The Pentester’s View on Blockchain Projects Phishing Tree steps to phishing: Register a domain name similar to a victim’s one: kickico.com -> kickico.co Copy a victim’s website and replace ICO smart contact address Spam spam spam! kickico $50k Hack Mitigations: Be offensive! Monitor similar domains and inform users (URLCrazy) Metamask EtherAddressLookup blacklist Register phishing site at local DNS and resolve them to alert page (for team only)

Site defacement and Clipboard manipulation The Pentester’s View on Blockchain Projects Site defacement and Clipboard manipulation Easy to understand: Hack website -> full control information on it Change ICO address to your own CoinDash.io $7 Million Hack Or a more tricky one… Clipboard manipulation:

$500k HACK Weak passwords There is nothing new here, same old story. The Pentester’s View on Blockchain Projects Weak passwords There is nothing new here, same old story. $500k HACK Protection? You already know: 2FA Password managers OAuth etc.

Social Engineering + Phishing The Pentester’s View on Blockchain Projects Social Engineering + Phishing

Pivoting Numerous attack vectors! Attack surface: Interfaces (web) The Pentester’s View on Blockchain Projects Pivoting Attack surface: Interfaces (web) Social network and email accounts Third-party Lib/Apps/Chats/API Oracles (shapeshift and similar) Mail/VPN/WEB/Mobile/… server Totally ALL host you control (laptops too) Numerous attack vectors!

Recommendations Smart Contract security: Infrastructure: The Pentester’s View on Blockchain Projects Recommendations Smart Contract security: Best practices Code auditing Bug Bounty (almost free for you!) Infrastructure: Best practices Auditing / Security assessment / Penetration testing Close/hide all optional services

Let’s talk Pertsev Alexey @_p4lex a.pertsev@dsec.ru The Pentester’s View on Blockchain Projects Let’s talk Pertsev Alexey @_p4lex a.pertsev@dsec.ru