Tips for Building Third-Party School Service

aaaddress1@gmail.com

Ma Sheng-Hao (aaaddress1, aka adr)TDOHacker Debug Guy

Speaker TDOHConf 2016 HITCON CMT 2015 SITCON 2016 HITCON CMT 2016 Lightning Talk BSidesLV ICNC MC2015

C/C++, C#, VB, MASM, Python, Swift, Node.js, Java Windows

, , , cuteRansomware, Adr'sFB

Sorry, Node.js

CoC O__Q

murmur

....

HTTP

HTTP

User Application Browser Mobile Apps

HTTP

User Application Browser Mobile Apps

HTTP

Browser

HTTP

1. 2. 3. 4.

5.

e.g. Chrome, Firefox, Safari

Browser

1. 2.

CookieHeaderBody

HTTP

HTTP

Browser

HTTP Traffic Analytics Browser (Static)

HTTP

HTTP

HTTP

HTTP

HTTP

1. 2.

HTTP

HTTP

BOT

BOT

Application

POST/GET

Application School Server

POST /Login HTTP/1.1usr=adr&pass=handsome

HTTP/1.1 200 OK Set-Cookie: gg=ininder;

BOT

Application School Server

GET /helloWorld HTTP/1.1 Cookie: gg=ininder;

HTTP/1.1 200 OK hello world! adr

Cookie: gg=ininder;

BOT

Application School Server

GET /helloWorld HTTP/1.1 Cookie: gg=ininder;

HTTP/1.1 200 OK hello world! adr

Cookie: gg=ininder;

UI

BOT

Application School Server

GET /timeTable HTTP/1.1 Cookie: gg=ininder;

HTTP/1.1 200 OK english

Cookie: gg=ininder;

BOT

Application School Server

Cookie: gg=ininder;

BOT

Application School Server

Cookie: gg=ininder;

BOT

Android Windows iOS

Android Windows iOS

App.java App.cpp App.swift

...

Application (User Side)

School Server

Cookie: gg=ininder;

Application User Side

School Server

Cookie: gg=ininder;

Cookie: gg=ininder;

Node.js + Express

Application User Side

Cookie: gg=ininder;

HTTP Basic

POST /?act=InInDer HTTP/1.1 HOST: big.gg.com girls=will&love=it

HTTP Basic

POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog

Header

HTTP Basic

POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog

Query

HTTP Basic

POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog Body (POST)

Node.js + Request

BOT School Server

Cookie: gg=ininder;

Application (User Side)

School Server

Cookie: gg=ininder;

Application School Server

Cookie: gg=ininder;

Cookie: gg=ininder;

Session

Application School Server

Cookie: gg=ininder;

Cookie: gg=ininder;

Application School Server

Cookie: key=9487;

Cookie: gg=SESSION[9487];

SESSION RAM

...

SESSION RAM

...

HTTP Status 500

Cookie

Cookie

Cookie

1. JS : substr, split, charAt, slice, 2. : ^123([\d]+)$ 3. Cheerio.js

JS var Str = Hello world

> Str = Str.slice(Str.indexOf('>') + 1) > Str = Str.slice(0, Str.indexOf(

var Str = Hello world

> Str.match(/[^\x20]+([^

Cheerio.jsvar Str = Hello world

> Str = require(cheerio).load(Str)('title').text() > Str.split(\x20')[1] 'world'

aaaddress1/m00d1e.js

Header

CAPTCHA

CAPTCHA

30cm.tw/?p=512

CAPTCHA

CAPTCHA

CAPTCHA

CAPTCHA

CAPTCHA

CAPTCHA

CAPTCHA

CAPTCHA

aaaddress1/easyChptchaOCR

Moodle

Browser User Side

School Server

Cookie: gg=ininder;

Cookie: gg=ininder;

Browser User Side

School Server

Cookie: gg=ininder;

Cookie: gg=ininder;

Browser User Side

School Server

Cookie: gg=ininder;

Cookie: gg=ininder;

Cross-site request forgery

Content Security Policy (CSP)

isu.30cm.tw/isuMoodle

isu.30cm.tw/isuMoodle

Cross Domain Login Moodle

Browser User Side

School Server

Cookie: gg=ininder;

Browser User Side

Cookie: gg=ininder;

iframe moodle Javascript

IFRAME User Side

Moodle

USERNAME = usr & PASSWORD = pass

IFRAME User Side

Moodle

Cookie: gg=ininder;

Browser User Side

Moodle

Cookie: gg=ininder;

Browser User Side

Moodle

Cookie: gg=ininder;

github.com/aaaddress1/isuMaster-NodeJS

github.com/Valve/fingerprintjs

http://github.com/Valve/fingerprintjs

github.com/aaaddress1/isuMaster-NodeJS

http://github.com/aaaddress1/isuMaster-NodeJS

QA aaaddress1@gmail.com