breaking f&b solutions · 2018. 2. 11. · headless browsers • browser without a gui, often...
TRANSCRIPT
BreakingFraud&BotDetectionSolutions
MayankDhimanStealthSecurity
Agenda
• ArchitecturalOverview• ThreatModel• Issues&Attacks• Takeaways
FraudDetection
• Defendagainstfraudulentlogins,paymentsetc.
• Lookforanomaliesinactivityofauser,givenpastactivity.
BotDetection
• Defendagainstbotstryingtotestcredentialdumps,scrapingetc.
• Botdetectionsolutionslookforanomaliesacrossentirepopulationsandtimeperiods.
Account TakeOver FakeAccounts PII/PHITheft
CloudDeployment
Mitigator
ServiceProvider
ClientBrowser WebServer
WebRequest1
Fingerprint.js2
3
4.FormSubmission4
5.RiskScore5
6.Block6
6.Allow6
InlineDeployments
InlineDevice
ClientBrowser WebServer
Allow
Block
2
WebRequest1
3 4
4
Fingerprint.js2
ThreatModel
• Attackerhasfullcontroloverthebrowser.• Attackercancraftrequestsandmodifyresponsesaccordingtotheresponsesfromthewebserver.
FundamentalIssueI
• Attackercanreverseengineertheentiresensor
BrowserFingerprinting
https://panopticlick.eff.org/
BrowserFingerprinting• Hardware
– CPU Architecture&DeviceMemory– GPUCanvasFingerprinting– AudioStackFingerprinting
• Software– UserAgent– OSVersion
• Storage– LocalStorage– SessionStorage
• Display– ColorDepth– ScreenSize
• BrowserCustomizations– Fonts– Plugins– Codecs– MimeTypes– Timezone– UserLanguage
• Misc.– Floatingpointcalculations– Addbehavior/callbacks/objectstoDOMtocheckarealJSexecutionengine
BrowserFingerprinting(Fingerprintjs2)
https://github.com/Valve/fingerprintjs2
UserBehavior• Mouse
– Coordinatesofwherethemovemoved– Coordinatesofclicks
• Keyboard– Streamofkeypresses
• Touchpad– Coordinatesofwherethescreenwas
touched
UserBehavior
• DeviceOrientation– 3Dangleofdevicewhenevertheorientationchanges
• DevicePosition– Recordspeedofchangeofdevice’sposition.
Timing informationalongwitheventtypecanbeused tocreateaveryaccuratepictureofwhatinteractionstookplaceonthewebpage.
Anti-Tampering&Anti-Reversing
• JavaScriptObfuscation• XORbasedpackedcode• Randomizename/locationoftheJavaScriptfiletoload
• DynamicFields
Payload
• PayloadEncoding(Base64)• SymmetricEncryption(DES)• CustomEncryptionSchemes
FundamentalIssueII
• TherearenoguaranteesofthecorrectexecutionofJavaScript
HeadlessBrowsers
• BrowserwithoutaGUI,oftenusedforautomationandtesting.
• EitherrenderfullJSorrunJSinavirtualDOM.
StrippingAttack
Mitigator
ServiceProvider
ClientBrowser WebServer
WebRequest1
Fingerprint.js2
3
4.FormSubmission4
5.RiskScore5
6.Block6
6.Allow6
StrippingAttack
Mitigator
ServiceProvider
ClientBrowser WebServer
WebRequest1
Fingerprint.js2
3
4.FormSubmission4
5.RiskScore5
6.Block6
6.Allow6
StrippingAttack
InlineDevice
ClientBrowser WebServer
Allow
Block
2
WebRequest1
3 4
4
Fingerprint.js2
StrippingAttack
InlineDevice
ClientBrowser WebServer
Allow
Block
WebRequest1
4
4
Fingerprint.js2
FormPOST3
MITMProxy
ReplayAttacks
• Nocheckonfreshnessofpayload.
DynamicTokens
• Adynamictokenisgenerated,whichisderivedfromthetimestamp.
• Samelogiccanbereplicatedinascript.
FundamentalIssueIII
• TherearenoguaranteesofthelegitimacyofthedatacollectedbytheJavaScriptsensors.
ForgingBrowserFingerprints
• FPRANDOM– Modifiedbrowserwhichintroducesnoiseduringbrowserfingerprint.
• OpenWPM –WebPrivacyMeasurementsoftware.
• DatabaseofNormalFingerprints
https://github.com/plaperdr/fprandomhttps://github.com/citp/OpenWPM
ForgingBrowserFingerprints
BadGuysAreAlreadyDoingthis
• Anti-Detect*$399intheunderground
https://krebsonsecurity.com/2015/03/antidetect-helps-thieves-hide-digital-fingerprints/
UserBehavior
• Replaywithchangedtimestamps• Addripplesanddisturbances• UseMITMProxy
FundamentalIssueIV
• JavaScriptcan’tprotectallflows.
FundamentalIssueV
• Themitigative actionactsasanoraclefortheattacker.
OtherIssues
• Fraud/BotDetectionSolutionsarethemselvesFingerprintable.
• SimilarissuesexistformobileappSDKbasedsolutions.
Takeaways
• ImplementationandArchitecturalIssuesinmultipledeployments.
• JavaScriptrunsinanattackercontrolledenvironment.
• Understandthelimitationsofsuchsolutions.• Protectallflows.
Questions?