They did it. Our team of security professionals hacked the ECorp Bank at DefCamp 2016 in the “Hack the Bank” contest.

They had an account with 1 RON and increased their debit to 1.000.000 RON.

Let’s hear more about how they did it –

“At first we aimed for bypassing the logic of the application and checked for validation issues, but the application was strong at that.

Then we remembered that, usually, transactions from one account to another are vulnerable to Race Condition – a vulnerability where two potential processes compete against each other to complete because they happen almost at the same time.

We were right.

We used Burp to run parallel transfers from one account to another and the server started to duplicate the money in the accounts.

bank

 

This was the money that we initially had in the account.

ecorpbank2

 

We started to transfer the Leu from one account to another and captured the request with Burp. Then, we repeated the process, but with two parallel requests.

ecorpbank3

ecorpbank5

 

And… now we’re rich and very happy.

ecorpbank4

 

In the end, it was really fun! Thumbs up for the whole experience!”

Our team of security professionals is currently enjoying the second day of DefCamp 2016.

After they return to Cluj, two members of our team, Andrei and Daniel, will be speaking about application security at CODECAMP Cluj-Napoca, on November 19, and also at the OWASP Cluj-Napoca #11 meeting, which we will be hosting on November 24. Hope to see you there!