Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Pentester’s View on Blockchain Projects

Published byKlaus Dressler Modified over 6 years ago

Similar presentations

Presentation on theme: "The Pentester’s View on Blockchain Projects"— Presentation transcript:

1 The Pentester’s View on Blockchain Projects
Pertsev Alexey @_p4lex

2 Agenda DApp? How does it work? Examples of vulnerable contracts
The Pentester’s View on Blockchain Projects Agenda DApp? How does it work? Examples of vulnerable contracts Client-side vulnerabilities Digital Security ICO case Common attack vectors at ICO address changing Latest security incidents overview

3 DApp and DAO Browser Ethereum HTTP Requests Gateway Smart Contact
The Pentester’s View on Blockchain Projects DApp and DAO Browser Ethereum HTTP Requests Gateway Smart Contact address = “0xdeadbeef…” Transaction Transaction ABI = [{“name”: “crowdsale”…}] Geth Parity cpp-Ethereum web3 object Call results, events…

4 Smart Contract’s Vulns/Attacks/Features
The Pentester’s View on Blockchain Projects Smart Contract’s Vulns/Attacks/Features Blockchain specifics: Front-running attack Timestamp dependency Generating randomness Unpredictable state Keeping secrets Solidity specifics: Evolution of money sending: Reentrancy Gasless send DOS (due to exception disorders) Self-destruction Inheritance EVM specifics: Integer overflow (no exceptions) ABI encoding/decoding (no args checks) Short Address Attack Type confusion Uninitialized storage pointer Logical (project specifics): Name it yourself :)

5 Logical vulnerabilities
The Pentester’s View on Blockchain Projects Logical vulnerabilities Forgotten access modifiers Misspelled identifications (variables, functions) Huge variety of race conditions Subject area specifics etc…

6 Logical vulnerabilities – DSec ICO
The Pentester’s View on Blockchain Projects Logical vulnerabilities – DSec ICO

7 Logical – commit-reveal
The Pentester’s View on Blockchain Projects Logical – commit-reveal Commision fee is up to a user, never from smart contract.

8 Then attacker can withdraw ether from Coinbase and repeat!
The Pentester’s View on Blockchain Projects Ethereum account balance manipulation (Coinbase) 1 ETH + 1 ETH Wallet1 1 ETH + 1 ETH Attacker Smart Contract Coinbase Wallet2 1 ETH + 1 ETH Wallet3 4 ETH (Ethereum view) 1 ETH (Coinbase view) Then attacker can withdraw ether from Coinbase and repeat! Broken Smart Contract + 1 ETH Coinbase $10k bounty 0 ETH (Ethereum and Coinbase* view)

9 Client-side vulnerabilities and vectors
The Pentester’s View on Blockchain Projects Client-side vulnerabilities and vectors Leaving blockchain aside, can I hack ICO without blockchain knowledge? XSS Phishing Site defacement + clipboard manipulation Social Engineering etc… And other vectors: Weak passwords for Social Network accounts (twitter, slack, FB, etc.) Hacking related infrastructure and pivoting

10 Blockchain-stored XSS
The Pentester’s View on Blockchain Projects Blockchain-stored XSS Protection: Don’t trust user data! Always cast, validate, sanitize and escape (order is meaning!)

11 Phishing kickico $50k Hack Tree steps to phishing: Mitigations:
The Pentester’s View on Blockchain Projects Phishing Tree steps to phishing: Register a domain name similar to a victim’s one: kickico.com -> kickico.co Copy a victim’s website and replace ICO smart contact address Spam spam spam! kickico $50k Hack Mitigations: Be offensive! Monitor similar domains and inform users (URLCrazy) Metamask EtherAddressLookup blacklist Register phishing site at local DNS and resolve them to alert page (for team only)

12 Site defacement and Clipboard manipulation
The Pentester’s View on Blockchain Projects Site defacement and Clipboard manipulation Easy to understand: Hack website -> full control information on it Change ICO address to your own CoinDash.io $7 Million Hack Or a more tricky one… Clipboard manipulation:

13 $500k HACK Weak passwords There is nothing new here, same old story.
The Pentester’s View on Blockchain Projects Weak passwords There is nothing new here, same old story. $500k HACK Protection? You already know: 2FA Password managers OAuth etc.

14 Social Engineering + Phishing
The Pentester’s View on Blockchain Projects Social Engineering + Phishing

15 Pivoting Numerous attack vectors! Attack surface: Interfaces (web)
The Pentester’s View on Blockchain Projects Pivoting Attack surface: Interfaces (web) Social network and accounts Third-party Lib/Apps/Chats/API Oracles (shapeshift and similar) Mail/VPN/WEB/Mobile/… server Totally ALL host you control (laptops too) Numerous attack vectors!

16 Recommendations Smart Contract security: Infrastructure:
The Pentester’s View on Blockchain Projects Recommendations Smart Contract security: Best practices Code auditing Bug Bounty (almost free for you!) Infrastructure: Best practices Auditing / Security assessment / Penetration testing Close/hide all optional services

17 Let’s talk Pertsev Alexey @_p4lex a.pertsev@dsec.ru
The Pentester’s View on Blockchain Projects Let’s talk Pertsev Alexey @_p4lex

Download ppt "The Pentester’s View on Blockchain Projects"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Lunker: The Advanced Phishing Framework

Lunker: The Advanced Phishing Framework
Name : Ahmed S. Eleyan No. : 120100230 Teacher : Rasha Attalah Subject : Secure Your Data Date : 20 / 12 / 2010 College of Engineering.

Name : Ahmed S. Eleyan No. : Teacher : Rasha Attalah Subject : Secure Your Data Date : 20 / 12 / 2010 College of Engineering.
Lecturer: Fadwa Tlaelan

Lecturer: Fadwa Tlaelan
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
C HAPTER 4 W EB H OSTING. I. I NTRODUCTION To make your Web site visible to the world, it has to be hosted on a Web server. In this tutorial we will teach.

C HAPTER 4 W EB H OSTING. I. I NTRODUCTION To make your Web site visible to the world, it has to be hosted on a Web server. In this tutorial we will teach.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.

Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.
Feedback #2 (under assignments) Lecture Code:

Feedback #2 (under assignments) Lecture Code:
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Similar presentations

Ads by Google