OWASP Orange County- October Meeting

Topic: Revenge of the Geeks: Hacking Fantasy Sports Sites

In this talk, I’ll show how all my IT security geek friends in the OWASP community how they can win the Super Bowl! I’ll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every “sneak play” required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested.

In this particular application, mistakes with the application’s session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account.

After we walk through the sack, I mean hack, we’ll abstract these techniques, tie them directly to OWASP best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football?

This presentation will:

Provide overview and details about each of the various formats (JSON, REST, SOAP, GWTk, and AMF) in popular use today.

Provide clear examples of basic mobile app insecurity.

Demonstrate how to setup an environment to start watching mobile traffic, including how to leverage Wifi Pineapple hardware to set up a local access point.

Demonstrate how to inject malicious characters into these services to find vulnerabilities.

Discuss what tools are available to automate this process and make it a little easier.

Show examples of real vulnerabilities in mobile apps in use today.

Speaker: Dan Kuykendall

Mr. Kuykendall is involved with Web Application Security Consortium, is regular contributor to many open source development projects. He was a founder of the phpGroupWare project and creator of podPress. Dan podcasts to educate the public about web application security issues from his blog at manvswebapp.com and as co-host of An Information Security Place Podcast. He has presented at HouSecCon, B-SidesLA, B-SidesSF, B-Sides Atlanta THOTCON, ToorCon and AppSec USA.

Join or login to comment.

  • Ryan H.

    Good to see a few new faces in the crowd. Thanks to Dan for coming in and Ron for coordinating another great meeting.

    October 15, 2013

  • Adrian T.

    Thanks Dan - Fun talk on App security

    Working my way through your Security Survival Guide at http://www.manvswebapp.com/

    October 15, 2013

  • Duane C.

    Not going to make it Monday.

    October 13, 2013

  • BSides O.

    15 Additional tickets available for BSides OC 2013 (Friday, Oct 4, 2013)
    https://bsidesoc.org

    October 2, 2013

26 went

Our Sponsors

People in this
Meetup are also in:

Imagine having a community behind you

Get started Learn more
Henry

I decided to start Reno Motorcycle Riders Group because I wanted to be part of a group of people who enjoyed my passion... I was excited and nervous. Our group has grown by leaps and bounds. I never thought it would be this big.

Henry, started Reno Motorcycle Riders

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy