Robin Hack

 

Robin Hack

By Ed Skoudis

Sherwood Forest Bank was a medium-sized, regional financial institution.  The bank recently deployed a new Internet-accessible web application.  Using this application, Sherwood Forest's customers could access their account balances, transfer money between accounts, pay bills, and conduct other on-line financial business through a web browser.

The Sheriff of Nottinghack was in charge of information security at Sherwood Forest Bank.  After one month in production, the Internet banking application was the object of several customer complaints.  Mysteriously, the account balances of many of Sherwood Forest's wealthiest customers had been changed!  However, money hadn't been removed from the bank.  Instead, money was transferred between accounts.  An attacker had taken money away from high-balance accounts, and moved dollars to the accounts of some of the less-well-off bank customers.  Someone was hacking from the rich and giving to the poor!

Given this attack profile, the Sheriff assumed it was his old nemesis, Robin Hack, up to his tricks.  To understand how Robin and his band of Merry Hackers had accomplished this attack, the Sheriff reviewed the web application's logs.  Although the team that designed the web application lacked a great deal of security knowledge, they were at least bright enough to include reasonable application-level logging.  The following is an excerpt from the Sherwood Forest's on-line banking web application logs:

<snip>

Attempted login of unknown user: zzzx

Attempted login of unknown user: zzzy

Attempted login of unknown user: zzzz

Attempted login of unknown user: bar";

Attempted login of unknown user: ' or 1=1--

Attempted login of unknown user: '; drop table test--

Login of user buy, sessionID=  0x75627579626F6F6B

Login of user counter, sessionID= 0x75627579539E13BE

Login of user hack, sessionID= 0x7562757944CCB811

Login of user surf1, sessionID= 0x7562757935FB5C64

Logout of user surf1

Login of user rich_guy, sessionID= 0x75627579272A00B7

Transfer Funds user rich_guy

Pay Bill user rich_guy

Logout of user rich_guy

<snip>

Questions:

•1) What types of attacks had Robin Hack attempted, and which one most likely succeeded?

•2) What kind of tools would Robin use to conduct such an attack?

•3) How should the web application have been developed to prevent this type of attack?

•4) What should the Sheriff of Nottinghack do next?