Challenge 4 – Mars

Flying to Mars? We haven’t seen such a possibility so far. We have something similar though - flying to Paris.

Despite the name, the basic functionality is simple. The page is run by admins or an automated script. Once run, it will go through each user account. If the user has more than 2000 reward points, the page will send a ticket to the user.

Let us visualize that:

There is only one condition to be met for a user to earn the ticket - their account should have more than 2000 points at the point of check.

Let us see if the application is performing those checks:

1. Go to the Sign up page

2. Create two user accounts - Tom and Jerry

3. Go to Admin > Manage Users

4. Edit user Tom’s rewards points to 3000

5. Navigate to Admin > Ticket to Mars

The page is working. App says Tom is eligible and Jerry is not.

We need to find a way to get two tickets to Mars. How can we do that? What if we transfer points from Tom’s account to Jerry’s account immediately before the app checks Jerry’s balance? Let us try that

It’s time to slow down TimeGap Theory:

1. On your browser, navigate to TimeGap Theory > Settings

2. Change the Mars wait to 5 seconds

3. Click on the Save button

Now, TimeGap Theory will wait 5 seconds before every database write operation.

Preparation phase

1. Open transfer rewards page

2. Click on the first $10 from Tom to Jerry button

3. Change the transfer amount to 2000

Alright, the preparation is done. Here comes the exploitation phase.

Exploitation phase

1. Open another browser or private/incognito window

2. On the new window, navigate to TimeGap Theory > Webapp > Admin > Ticket to Mars

3. Immediately go to the first bowser window and click on the Transfer button

Let us see that worked or not

Post-exploitation phase

1. Let us wait for both the browsers to complete the request

2. You can see that both Tom and Jerry got tickets to Mars

3. If you check the balance of Tom, you will see that their balance is less than 2000

4. If you check your scores, you will see that you have got 100 points for completing the Mars challenge.

5. Don't forget to change the Main Wait to 0 on settings page.

We are skipping the automation part for this chapter. In the real world, attackers would use the same automation technique as mentioned in the transfer-rewards page. Then, they will schedule their automation program to run at a specific time they have chosen. If the attacker knows from their past experience that the Ticket to Mars program usually starts running at 12am on January 1st, they will schedule their attack script to trigger at the exact time.

What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:

1. Users may keep on circling their points/money to get the benefits

2. Business will end-up spending too much on benefits compared to what they were anticipating

Let us review what we did:

1. The Ticket to Mars program gives some benefits to users if they have reward points more than 2000

2. You checked this functionality first

3. You slowed down the system and bypassed the business logic