Challenge 3 – Transfer
Transfer reward points between users.
Transferring rewards is not something we do every day. But sending money is. Think of the transfer rewards as sending money. The basic functionality is identical.
Let us look at a sample transfer rewards flow:
A close up of text on a white background Description automatically generated
There are three conditions to be met for the transaction to be successful:
    1.
    Transaction amount should be a positive number
    2.
    Payer and payee can not be same
    3.
    Payers should have enough balance in their account
Let us see if the application is performing those checks. Go to the Sign up page and create two user accounts - Tom and Jerry
Transaction amount should be a positive number:
    1.
    Go to the Transfer page
    2.
    Put in a negative number in the amount field
    3.
    Click on the Transfer button
Graphical user interface, text, application Description automatically generated
Payer and payee can not be same:
    1.
    Go to the Transfer page
    2.
    Select the same user as payer and payee
    3.
    Put in a 10 as the amount
    4.
    Click on the Transfer button
Graphical user interface, text, application, email Description automatically generated
Payer should have enough balance in their account:
    1.
    Go to the Transfer page
    2.
    Select a payer and payee
    3.
    Put in a 300 as the amount
    4.
    Click on the Transfer button
Graphical user interface, text, application, email Description automatically generated
Let us visualize the happy path with the help of a sequence diagram:
A screenshot of a map Description automatically generated
Our aim is to bypass the business logic and send more reward amounts than we have. How can we do that? We need to make multiple transactions before the application deducts it from the balance.
It’s time to slow down TimeGap Theory:
    1.
    On your browser, navigate to the Settings page
    2.
    Change the time delay to 5 seconds
    3.
    Click on the Save button
Now, TimeGap Theory will wait 5 seconds before every database write operation.
Preparation phase
    1.
    Open two browsers side by side (Use private/incognito window if you do not have two browsers)
    2.
    On both the browsers:
      1.
      Navigate to the Login page
      2.
      Click on the first user button - this will fill the form with details of the user Tom
      3.
      Navigate to the Transfer rewards page
      4.
      If the account has 100 points as balance, put a lesser amount as the transfer value on both the browsers. Say, 90
      5.
      Select Tom as the payer
      6.
      Select Jerry as the payee
      7.
      Note down the balance on Jerry’s account ( which is displayed in simple bracket)
A picture containing text, outdoor object Description automatically generated
Alright, the preparation is done. Here comes the exploitation phase.
Exploitation phase
    1.
    Click on the Transfer button on the first browser
    2.
    Go to the second browser as fast as you can
    3.
    Click on the Transfer button on the second browser
There comes our third and final phase:
Post-exploitation phase
    1.
    Let us wait for both the browsers to complete the request
    2.
    You can see that the transfer operations were successful on both the browsers
    3.
    Check the balance of user Jerry
    4.
    Phew. You transferred more points from Tom’s account that what they had
    5.
    If you check your scores, you will see that you have got 100 points for transfer challenge
    6.
    Don't forget to change the delay to back to 0 on the Settings page

Automation time

Let’s try and automate this.
First, we need a valid fetch request:
    1.
    Open your browser ( Chrome or Firefox)
    2.
    Navigate to TimeGap Theory > Login
    3.
    Click on the first user button. This will fill the user details for user Tom
    4.
    Click on the login button
    5.
    Navigate to TimeGap Theory > Webapp > User > Transfer rewards
    6.
    Click on the first $10 from Tom to Jerry button. This will fill the form with some transfer details.
    7.
    Open up dev tools by pressing F12 on the browser
      1.
      On Windows, you can use Ctrl + Shift + I
      2.
      On Mac, you can use Cmd + Shift + I
    8.
    Click on the Transfer button
    9.
    On the browser dev tools, click on the Network tab
    10.
    Right click on the transfer-rewards.php request
    11.
    Click on Copy > Copy as fetch
Timeline Description automatically generated
Paste that on the Console tab of the browser dev tools. You will get something like the following:
Graphical user interface, text, application Description automatically generated
Again, don’t worry if you see a slightly bigger request. That is just your browser being naughty. You can use that request as it is, or use the one shown above.
Now we have a request.
And we need two requests.
It can be done by copy-pasting the fetch request without pressing the Enter key. However, it’s a good practice to separate each request with a comma. Let us do that
Graphical user interface, text, application, email Description automatically generated
Before running this new command, we need to clear the slate. It involves two simple steps:
    1.
    Ensure that there is no delay
      1.
      Go to TimeGap Theory > Settings
      2.
      Ensure that the Main wait is set to 0
    2.
    Clear the current score
      1.
      Go to TimeGap Theory > Score
      2.
      Click on the Clear button
Diagram Description automatically generated
Alright, our slate is clear. Let us execute the attack now:
    1.
    Enter the combined fetch requests on the Console tab of browser dev tools
    2.
    Click on the To field to see the rewards on each account
    3.
    Now you see a negative value in Tom’s account
    4.
    You also see corresponding change in Jerry’s account
    5.
    Go to TimeGap Theory > Score
    6.
    Check if you got points for completing the Transfer rewards challenge
Table Description automatically generated
What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:
    1.
    A user may start a huge number of parallel requests. They may transfer this boat load of money/points to an account controlled by them or by their friends/relatives
    2.
    Attacker may work with friends to perform these transactions back and forth infinite amount of times
A screenshot of a cell phone Description automatically generated
Let us review what we did:
    1.
    The transfer rewards page is performing basic checks to prevent abuse
    2.
    One of these checks includes checking the payer’s account to see if they have sufficient balance
    3.
    You analyzed this behavior by trying to transfer more points than what you have in balance
    4.
    First, you slowed down the system and bypassed the business logic
    5.
    Then you bypassed the business logic by using browser dev tools
    6.
    You must have noticed during the automation phase that accessing the transfer-rewards page does not require authentication.
      1.
      If you manually enter the transfer-rewards page URL on your browser, you will be able to access this page without logging in first
      2.
      This made the TOCTOU exploitation slightly easy. No need to worry. In upcoming chapters, you will learn how to exploit TOCTOU issues in authenticated pages as well.
    7.
    Now you know how TOC/TOU security issues can affect money/points transfer pages
Last modified 9mo ago
Copy link