Full Report
In Vegas I bought Herman “Exploiting Online Games” by Greg Hoglund and Gary McGraw. Being the saint that I am, I looked at the book thoroughly on the plane on the way home. Fortunately I was able to verify that most of the pages were there and intact and that were no blatant spelling or grammatical errors – it wouldn’t do to give Herman a broken book. Whilst I was checking the Herman’s gift *anyway* I figured it wouldn’t hurt to also read and absorb some of the content – just to make sure I wasn’t giving him nonsense (with all due respect to Greg and Gary). In particular what interested me was whether their thinking on online games held any lessons for the work we more traditionally do on online financial and e-commerce systems. I thought the book was fascinating, particularly in this context. What follows is a mind dump of some of the thoughts I had as I was reading.
Analysis Summary
# Main Topic
Lessons drawn from the book "Exploiting Online Games" regarding security vulnerabilities and attack vectors, specifically applying these concepts to threats observed in online financial and e-commerce systems.
## Key Points
- **Hacking *inside* the game:** Security analysis should focus on attacking the inherent logic and rules of an application (application logic exploitation) rather than solely focusing on the underlying host or data.
- **Domain Expertise as a Security Hurdle:** Assessing complex systems (like online trading sites or games) requires deep domain knowledge (e.g., understanding poker or the stock market), posing a challenge for standard security assessments.
- **Threat Modeling for Objective Identification:** The process of Threat Modeling, which involves bringing developers, business owners, and security personnel together, is crucial for eliciting potential attacker objectives from system owners who hold intrinsic knowledge of the application's rules.
- **Collaboration Attacks:** Two or more entities collaborating (e.g., in a gambling game or an online auction) create nearly undetectable attack patterns.
- **'Edge' Case Exploits (State Transitions):** Security often breaks down at transition points where information or state is handed over between different components or servers. In gaming, this is exemplified by exploits occurring during server hops (e.g., player location changes).
- **Relevance to Web Systems:** State transfer mechanisms like Single Sign-On (SSO) in web applications are analogous to server-to-server transitions in games and represent high-risk 'edge cases'.
- **Race Conditions:** These are explicitly mentioned as a vulnerability class relevant to the analysis.
## Threat Actors
- No specific named threat actors or APT groups were identified, as the analysis focuses on conceptual attacker objectives within gaming scenarios applied metaphorically to financial systems.
## TTPs
- **Logic Exploitation:** Attacking the application logic to achieve in-game objectives (e.g., copying resources like gold or weapons, playing without paying).
- **Race Conditions:** Exploiting temporal weaknesses during state changes.
- **Server State Manipulation (Duplication/Rollback):** Attacks involving rapid transitions between servers during a transaction to rollback one's own state while retaining the obtained benefit (a form of collaborative duping).
- **Denial of Service (DoS):** Used to remove competitors, specifically mentioned in the context of online auctions.
- **Botting:** Utilizing automated processes, necessitating defenses like CAPTCHA.
## Affected Systems
- **Online Games:** Mentioned as the source material (e.g., WoW).
- **Online Financial Systems:** Specifically, Internet Banking systems.
- **E-commerce Systems:** Including online trading sites and online auction platforms.
- **Web Application Components:** Specifically citing Single Sign-On (SSO) infrastructure where state handover occurs.
## Mitigations
- **Enhanced Threat Modeling:** Intensified focus on the "Understand the business" phase of security assessment through threat modeling workshops to draw out attacker objectives from domain experts.
- **Bot Detection:** Implementing mechanisms like CAPTCHA to counter automated activity.
- **Focus on State Transitions:** Specific attention must be paid to security during data handover points between components/servers (the 'edges'), such as those involved in SSO flows.
## Conclusion
The core insight is that the techniques used to exploit the internal logic and rule-sets of online games provide valuable analogies and lessons for assessing the security of high-value financial and e-commerce applications. Security analysis must incorporate deep domain knowledge, particularly when scrutinizing state transitions ('edges') and collaborative attack vectors, which are high-risk areas mirroring those found in gaming exploits.