logging in or signing up MMS Spoofing Clown Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1634 Category: Product Traini.. License: All Rights Reserved Like it (2) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: aarthikannan (31 month(s) ago) thanks Saving..... Post Reply Close Saving..... Edit Comment Close By: sumithap (33 month(s) ago) fffffffffffffydtdd Saving..... Post Reply Close Saving..... Edit Comment Close By: sumithap (33 month(s) ago) fhfhfhfh Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript A case study of a Web Application vulnerability: A case study of a Web Application vulnerability Matteo Meucci OWASP-Italy Chair ICT Security Consultant – CISSP Business-e matteo.meucci@business-e.it http://www.owasp.org/local/italy.html A case-study of a Web Application vulnerability: A case-study of a Web Application vulnerability Web application’s analisys Autentication and Billing of the MMS service Application Vulnerability Attacks’s Analisys Slide3: MMS spoofing andamp; billing We describe a case-study of a public MMS service provided by a TELCO. This vulnerability would allow an attacker to send a spoofed MMS charging the credit of an unaware user. This paradigmatic scenario shows how a poor session management of a web application can be used to break the authentication scheme. We want to show how a two factor authentication can be broken if developers make bad code (a trivial error of session management) Scenario: Scenario Receiver: MMS from spoofed sender Attacker Spoofed sender (victim) MMS Platform Web application TELCO Network The company has developed a web application allowing a mobile subscriber to compose and send an MMS to another user. The sender is authenticated using an OTP received via SMS. In this presentation we describe how it is possible to send an MMS spoofed to a user by charging another unaware user. -0.7 euro credit !!! How Authentication & Billing work: How Authentication andamp; Billing work [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form asking for [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send a form asking [OTP] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS Sender Receiver Web App [8] Sent MMS ok! TELCO Network How to charge another subscriber: How to charge another subscriber [7] Call the servlet to bill the user with cookie received Billing spoofed MSISDN! Send MMS to Receiver If the attacker change the HTTP GET, altering MSISDN Sender with the spoofed MSISDN (victim)… Attacker Receiver Web App TELCO Network Spoofed user Slide7: Let’s show the vulnerabilty in the Authentication scheme Slide8: Target: Send an MMS to a user (MSISDN = 3xxxxxxx20) by charging another spoofed user (MSISDN = 3xxxxxxx99) ---Network Message-- Your credit is: 38.7000 Euro; initial credit of spoofed user of 3xxxxxx99 Preparing the lesson Tools for the attacker (MSISDN = 3xxxxxxx59): Mobile phone Web browser Internet connection Proxy to intercept HTTP request/response (e.g. WebScarab) [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process : [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [1] Sender compose a MMS – insert MSISDN Receiver– begin authentication process Attacker (59) Rec.(20) Web Server Spoof.(99) [2-3] OTP Request: [2-3] OTP Request [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] Attacker (59) Rec.(20) Web Server [3] POST MSISDN Sender Spoof.(99) Slide11: [4] OTP arrives on sender’s mobile phone [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] Attacker (59) Rec.(20) Web Server Spoof.(99) Slide12: [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [5] POST OTP via web Attacker (59) Rec.(20) Web Server Spoof.(99) Slide13: [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [6] Authentication and Set Cookie Attacker (59) Rec.(20) Web Server Authentication with OTP ok! Set-Cookie: codeOneShot=51566 Set-Cookie: msisdnOneShot=3xxxxxxx59 Set-Cookie: sessionID=B46G0HyPA1u2YQZW8en5TfcllGH1o3d44q4Y48…. Spoof.(99) Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Hacking the billing: [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process Sender Rec. Web Server Spoof. [7] Hacking the billing [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to bill the user Charge Sender 3xxxxxxx99 !! [8] Sent MMS ok: [8] Sent MMS ok [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS [8] Sent MMS ok! Sender Rec. Web Server Spoof. -0.7 euro Slide16: It was possible to send an MMS to a mobile destination modifying the sender Mobile Subscriber: It was possible to send an MMS and bill another mobile user without his approval. It was possible to decrease the credit of a mobile subscriber MMS spoofing andamp; billing! How secure was session management??? The vulnerability is now fixed. You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
MMS Spoofing Clown Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1634 Category: Product Traini.. License: All Rights Reserved Like it (2) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: aarthikannan (31 month(s) ago) thanks Saving..... Post Reply Close Saving..... Edit Comment Close By: sumithap (33 month(s) ago) fffffffffffffydtdd Saving..... Post Reply Close Saving..... Edit Comment Close By: sumithap (33 month(s) ago) fhfhfhfh Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript A case study of a Web Application vulnerability: A case study of a Web Application vulnerability Matteo Meucci OWASP-Italy Chair ICT Security Consultant – CISSP Business-e matteo.meucci@business-e.it http://www.owasp.org/local/italy.html A case-study of a Web Application vulnerability: A case-study of a Web Application vulnerability Web application’s analisys Autentication and Billing of the MMS service Application Vulnerability Attacks’s Analisys Slide3: MMS spoofing andamp; billing We describe a case-study of a public MMS service provided by a TELCO. This vulnerability would allow an attacker to send a spoofed MMS charging the credit of an unaware user. This paradigmatic scenario shows how a poor session management of a web application can be used to break the authentication scheme. We want to show how a two factor authentication can be broken if developers make bad code (a trivial error of session management) Scenario: Scenario Receiver: MMS from spoofed sender Attacker Spoofed sender (victim) MMS Platform Web application TELCO Network The company has developed a web application allowing a mobile subscriber to compose and send an MMS to another user. The sender is authenticated using an OTP received via SMS. In this presentation we describe how it is possible to send an MMS spoofed to a user by charging another unaware user. -0.7 euro credit !!! How Authentication & Billing work: How Authentication andamp; Billing work [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form asking for [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send a form asking [OTP] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS Sender Receiver Web App [8] Sent MMS ok! TELCO Network How to charge another subscriber: How to charge another subscriber [7] Call the servlet to bill the user with cookie received Billing spoofed MSISDN! Send MMS to Receiver If the attacker change the HTTP GET, altering MSISDN Sender with the spoofed MSISDN (victim)… Attacker Receiver Web App TELCO Network Spoofed user Slide7: Let’s show the vulnerabilty in the Authentication scheme Slide8: Target: Send an MMS to a user (MSISDN = 3xxxxxxx20) by charging another spoofed user (MSISDN = 3xxxxxxx99) ---Network Message-- Your credit is: 38.7000 Euro; initial credit of spoofed user of 3xxxxxx99 Preparing the lesson Tools for the attacker (MSISDN = 3xxxxxxx59): Mobile phone Web browser Internet connection Proxy to intercept HTTP request/response (e.g. WebScarab) [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process : [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [1] Sender compose a MMS – insert MSISDN Receiver– begin authentication process Attacker (59) Rec.(20) Web Server Spoof.(99) [2-3] OTP Request: [2-3] OTP Request [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] Attacker (59) Rec.(20) Web Server [3] POST MSISDN Sender Spoof.(99) Slide11: [4] OTP arrives on sender’s mobile phone [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] Attacker (59) Rec.(20) Web Server Spoof.(99) Slide12: [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [5] POST OTP via web Attacker (59) Rec.(20) Web Server Spoof.(99) Slide13: [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [6] Authentication and Set Cookie Attacker (59) Rec.(20) Web Server Authentication with OTP ok! Set-Cookie: codeOneShot=51566 Set-Cookie: msisdnOneShot=3xxxxxxx59 Set-Cookie: sessionID=B46G0HyPA1u2YQZW8en5TfcllGH1o3d44q4Y48…. Spoof.(99) Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Hacking the billing: [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process Sender Rec. Web Server Spoof. [7] Hacking the billing [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to bill the user Charge Sender 3xxxxxxx99 !! [8] Sent MMS ok: [8] Sent MMS ok [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS [8] Sent MMS ok! Sender Rec. Web Server Spoof. -0.7 euro Slide16: It was possible to send an MMS to a mobile destination modifying the sender Mobile Subscriber: It was possible to send an MMS and bill another mobile user without his approval. It was possible to decrease the credit of a mobile subscriber MMS spoofing andamp; billing! How secure was session management??? The vulnerability is now fixed.