Revenge of the Geeks: Hacking Fantasy Sports Sites

Presented at AppSec USA 2013, Nov. 20, 2013, 2 p.m. (50 minutes)

Video of session: https://www.youtube.com/watch?v=a7asG7rbsHo&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=37 In this talk, I'll show how all my IT security geek friends in the OWASP community can win the Super Bowl! I'll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every "sneak play" required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested. In this particular application, mistakes with the application's session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account. After we walk through the sack, I mean hack, we'll abstract these techniques, tie them directly to OWASP best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football? This presentation will: --Provide overview and details about each of the various formats (JSON, REST, SOAP, GWTk, and AMF) in popular use today --Provide clear examples of basic mobile app insecurityRevenge of the Geeks: Hacking Fantasy Sports Sites In this talk, I'll show how all my IT security geek friends in the OWASP community can win the Super Bowl! I'll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every "sneak play" required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested. In this particular application, mistakes with the application's session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account. After we walk through the sack, I mean hack, we'll abstract these techniques, tie them directly to OWASP best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football? This presentation will: --Provide overview and details about each of the various formats (JSON, REST, SOAP, GWTk, and AMF) in popular use today --Provide clear examples of basic mobile app insecurity --Demonstrate how to setup an environment to start watching mobile traffic, including how to leverage Wifi Pineapple hardware to set up a local access point --Demonstrate how to inject malicious characters into these services to find vulnerabilities --Discuss what tools are available to automate this process and make it a little easier --Show examples of real vulnerabilities in mobile apps in use today Attendees will be given a whitepaper with the details of the complete setup demonstrated in the talk.

Presenters:

• Dan Kuykendall - co-CEO and CTO - NT OBJECTives
  Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan's dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques. Dan joined NTO from Foundstone, where he was a key developer of FoundScane's scan management, and remediation capabilities. Before Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis. When Dan's not working on NTO products or screen sharing with our customers to help them solve their application security challenges, you'll find him blogging, co-hosting An Information Security Place Podcast and speaking at conferences like B-Sides, OWASP AppSecUSA, HouSecCon, ToorCon and more. He also works with industry groups and contributes to many open source development projects. Little known fact about Dan, he was a founder of the phpGroupWare project and creator of podPress.

Links:

• https://appsecusa2013.sched.com/event/148SXdI/revenge-of-the-geeks-hacking-fantasy-sports-sites
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Revenge of the Geeks - Hacking Fantasy Sports Sites - Dan Kuykendall.mp4
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Revenge of the Geeks - Hacking Fantasy Sports Sites - Dan Kuykendall.srt (subtitles)
• https://www.youtube.com/watch?v=a7asG7rbsHo

Similar Presentations:

• TROOPERS18 (2018) / Mobile App Security Fails and How To Survive Them
• THOTCON 0x4 (2013) / Get off your AMF and don’t REST on JSON
• AppSec USA 2012 / Get off your AMF and don’t REST on JSON