Challenge 3 – Transfer

Transfer reward points between users.

Transferring rewards is not something we do every day. But sending money is. Think of the transfer rewards as sending money. The basic functionality is identical.

Let us look at a sample transfer rewards flow:

There are three conditions to be met for the transaction to be successful:

  1. Transaction amount should be a positive number

  2. Payer and payee can not be same

  3. Payers should have enough balance in their account

Let us see if the application is performing those checks. Go to the Sign up page and create two user accounts - Tom and Jerry

Transaction amount should be a positive number:

  1. Go to the Transfer page

  2. Put in a negative number in the amount field

  3. Click on the Transfer button

Payer and payee can not be same:

  1. Go to the Transfer page

  2. Select the same user as payer and payee

  3. Put in a 10 as the amount

  4. Click on the Transfer button

Payer should have enough balance in their account:

  1. Go to the Transfer page

  2. Select a payer and payee

  3. Put in a 300 as the amount

  4. Click on the Transfer button

Let us visualize the happy path with the help of a sequence diagram:

Our aim is to bypass the business logic and send more reward amounts than we have. How can we do that? We need to make multiple transactions before the application deducts it from the balance.

It’s time to slow down TimeGap Theory:

  1. On your browser, navigate to the Settings page

  2. Change the time delay to 5 seconds

  3. Click on the Save button

Now, TimeGap Theory will wait 5 seconds before every database write operation.

Preparation phase

  1. Open two browsers side by side (Use private/incognito window if you do not have two browsers)

  2. On both the browsers:

    1. Navigate to the Login page

    2. Click on the first user button - this will fill the form with details of the user Tom

    3. Navigate to the Transfer rewards page

    4. If the account has 100 points as balance, put a lesser amount as the transfer value on both the browsers. Say, 90

    5. Select Tom as the payer

    6. Select Jerry as the payee

    7. Note down the balance on Jerry’s account ( which is displayed in simple bracket)

Alright, the preparation is done. Here comes the exploitation phase.

Exploitation phase

  1. Click on the Transfer button on the first browser

  2. Go to the second browser as fast as you can

  3. Click on the Transfer button on the second browser

There comes our third and final phase:

Post-exploitation phase

  1. Let us wait for both the browsers to complete the request

  2. You can see that the transfer operations were successful on both the browsers

  3. Check the balance of user Jerry

  4. Phew. You transferred more points from Tom’s account that what they had

  5. If you check your scores, you will see that you have got 100 points for transfer challenge

  6. Don't forget to change the delay to back to 0 on the Settings page

Automation time

Let’s try and automate this.

First, we need a valid fetch request:

  1. Open your browser ( Chrome or Firefox)

  2. Navigate to TimeGap Theory > Login

  3. Click on the first user button. This will fill the user details for user Tom

  4. Click on the login button

  5. Navigate to TimeGap Theory > Webapp > User > Transfer rewards

  6. Click on the first $10 from Tom to Jerry button. This will fill the form with some transfer details.

  7. Open up dev tools by pressing F12 on the browser

    1. On Windows, you can use Ctrl + Shift + I

    2. On Mac, you can use Cmd + Shift + I

  8. Click on the Transfer button

  9. On the browser dev tools, click on the Network tab

  10. Right click on the transfer-rewards.php request

  11. Click on Copy > Copy as fetch

Paste that on the Console tab of the browser dev tools. You will get something like the following:

Again, don’t worry if you see a slightly bigger request. That is just your browser being naughty. You can use that request as it is, or use the one shown above.

Now we have a request.

And we need two requests.

It can be done by copy-pasting the fetch request without pressing the Enter key. However, it’s a good practice to separate each request with a comma. Let us do that

Before running this new command, we need to clear the slate. It involves two simple steps:

  1. Ensure that there is no delay

    1. Go to TimeGap Theory > Settings

    2. Ensure that the Main wait is set to 0

  2. Clear the current score

    1. Go to TimeGap Theory > Score

    2. Click on the Clear button

Alright, our slate is clear. Let us execute the attack now:

  1. Enter the combined fetch requests on the Console tab of browser dev tools

  2. Click on the To field to see the rewards on each account

  3. Now you see a negative value in Tom’s account

  4. You also see corresponding change in Jerry’s account

  5. Go to TimeGap Theory > Score

  6. Check if you got points for completing the Transfer rewards challenge

What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:

  1. A user may start a huge number of parallel requests. They may transfer this boat load of money/points to an account controlled by them or by their friends/relatives

  2. Attacker may work with friends to perform these transactions back and forth infinite amount of times

Let us review what we did:

  1. The transfer rewards page is performing basic checks to prevent abuse

  2. One of these checks includes checking the payer’s account to see if they have sufficient balance

  3. You analyzed this behavior by trying to transfer more points than what you have in balance

  4. First, you slowed down the system and bypassed the business logic

  5. Then you bypassed the business logic by using browser dev tools

  6. You must have noticed during the automation phase that accessing the transfer-rewards page does not require authentication.

    1. If you manually enter the transfer-rewards page URL on your browser, you will be able to access this page without logging in first

    2. This made the TOCTOU exploitation slightly easy. No need to worry. In upcoming chapters, you will learn how to exploit TOCTOU issues in authenticated pages as well.

  7. Now you know how TOC/TOU security issues can affect money/points transfer pages

Last updated