Application Scenario
The target application is an online gaming application that offers a variety of games to play. You can earn money by playing a variety of games. This application organizes various battles. As a result, two users can participate in the games and win money. This application also gives users coins for playing games, which they can later exchange for buying profile pictures and other items & also users can withdraw the earned money later.
Let’s Discuss Different Scenarios.
Scenario 1: To Earn Unlimited Coins Without Playing The Game
Description of Feature
The application has a feature to play the game & earn coins. For example, if I play & complete the game then I will get 10 points for it. Later I can convert these points to buy profile pictures, products, etc.
Attack Scenario
An attacker has to find out the HTTP request through which the application is giving points. The attacker will run the intruder on that request and points will get added to the attacker’s account. So an attacker can earn unlimited coins without playing the game again & again.
Steps To Perform Attack
Note* Identifying the HTTP request which updates the gaming score is very important
1) Play & complete the game and capture the HTTP request which updates the gaming score.
2) Replay the request multiple times or run the intruder via the following steps.
Send the request to the intruder => Select the Attack Type as Snipper => Go to the Payloads tab and select the Null Payload and in payload option, in the generate parameter give any value for example 100.
3) You will earn unlimited coins without playing the game again.
Scenario 2: To Increase Score & Win the Match & Earn Money
Description of Feature
The application has a module to play the match with any other user and if you score more, you win the match and you will receive the real winning amount.
Attack Scenario
An attacker can win the match by increasing the score and can earn that winning amount.
Steps To Perform Attack
Note* Identifying the HTTP request which updates the gaming score is very important
1) Log in to the application
2) Play & complete the game.
3) Capture the HTTP request which updates the score of your game and replaces the game_score value to a higher score and forward the request. and the score gets updated and you will win the match.
Read more: Everything You Need to Know about iOS Jailbreak Detection Bypass
Scenario 3: Information Disclosure
Description of Feature
The gaming application has a leaderboard through which a user can see who is in the top 10. On the leaderboard, the application only shows the NAME of the top 10 players on the GUI/frontend of the application.
Attack Scenario
An attacker will capture the leaderboard HTTP request and in the response, it will disclose the leaderboard user’s password, personal mobile number, email address, address, referral code, coins, money, etc. This information is not displayed on the GUI of the application. This allows an attacker to view the user's personal information.
Steps To Perform Attack
Capture the leaderboard HTTP request and response will disclose the user’s personal information.
Scenario 4: To Withdrawal Unlimited Money
Description of Feature
The application has a module to withdraw money that the user has earned by playing the games and all.
Attack Scenario
So, when an attacker wants to withdraw his earned money, he will give a negative amount (-500000). Instead of removing/withdrawing that money, it will be credited to the attacker’s gaming account, and then the attacker will be able to withdraw it later to her bank account.
Steps To Perform Attack
1) Go to withdraw money module
2) Enter some amount and capture that HTTP request in the burp suite.
3) In the amount parameter, give a negative value (-50000).
4) Forward the request and this amount will be added to your gaming account.
5) withdraw that money to your bank account.
Scenario 5: Using Coupon Code For Non-Applicable Purchases
Description of Feature
The application has a module to add money. A user can add money and use some coupon for a certain amount, on which the application gives cashback.
Attack Scenario
Let’s take an example, the application is giving 10% cashback for adding 500 rs into your gaming application. So as an attacker what we can do is here, she will use the same coupon code for adding less than 500 amounts and get the 10% discount.
Steps To Perform Attack
1) Log in to the application and go to add money module.
2) Add min 500 rs money and get a 30% discount.
3) Enter 50 rs and apply the given coupon code and capture the given HTTP request.
4) Replace the amount value to 10 and forward the request and add money.
5) Go to the profile module and observe that you get 3 rupees bonus cash.Read more: 8 Different Ways to Bypass SSL Pinning in iOS application
Scenario 6: To Use Profile Images Without Purchasing
Description of Feature
The gaming application has a feature to buy the profile pictures of your choice of different characters.
Attack Scenario
An attacker can use these profile images without buying those images.
Steps To Perform Attack
1) Log in to the application and go to the edit profile module.2) Click on any image for buying and capture the HTTP Request.
3) Replace the isPurchased value from false to true and forward the request and the attacker can use the images without buying.
Scenario 7: Buy One Profile Picture and Use any Other Profile Image
Description of Feature
The gaming application has a feature to buy profile pictures with coins & money.
Attack Scenario
An attacker can use these profile images without buying those images.
Steps To Perform Attack
1) Log in to the application and go to the edit profile module.2) Click on any image which you have bought already and capture that HTTP Request.
3) Replace the ham_id value with any other avatar image ham_id value and forward the request and the attacker can use the images without buying.
Scenario 8: Open Google Cloud Bucket
Description of Feature
The application is using a google cloud bucket for storing the user’s data like KYC documents and all.
Attack Scenario
This google bucket has read-only public access, which allows an attacker to view all the sensitive files of the users.
Steps To Perform Attack
Run the below command and it will list all the files.
gsutil ls gs://bucket_name/
Scenario 9: Withdraw The Earn Money Without Verifying Your Account with KYC
Description of Feature
As we know KYC plays a very important role, when a user earns money from the online application. So In my application for withdrawing money etc, users must have to verify their account with KYC.
Attack Scenario
An attacker can withdraw the money etc. without verifying his account KYC due to improper server-side validation.
Steps To Perform Attack
1) Identify the module / HTTP request for which the user account must be KYC verified (In our scenario for withdrawing money the user account must be KYC verified).2) Capture that request (withdrawing money request) and replay that HTTP request with a Non-KYC verified user authentication token.
Conclusion
Gaming applications are the most vulnerable to security breaches since they store a lot of money and the personal information of users. The majority of gaming applications are vulnerable to business logical flaws. That's why we've gone over a variety of logical errors.
Gamers are emotionally attached to gaming applications because they put in a lot of effort to reach the top, and if a hacker can reach the top without playing the game, it is a significant loss for the company since users would lose faith in it. As a result, safeguarding the gaming application is critical.
Gartner and G2 recommends Appknox | See how we can help you with a free Demo!
Harshit Agarwal
_HighPerformer_HighPerformer.png)
_BestEstimatedROI_Roi.png)
