Toobit

We express our gratitude to the Toobit team for the collaborative engagement that enabled the execution of this Pentest.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Modeling and Attack Scenarios

As part of the security assessment for the exchange platform, this threat modeling report analyzes potential vulnerabilities within the Spot Trading API and USDT Swap Trading API. The objective is to identify possible attack vectors, assess risks, and recommend mitigations to enhance the platform's security posture against adversaries.

Threats and Attack Scenarios

Description: Inadequate authorization checks allowing attackers to access or manipulate other users' data.

Attack Scenario and Potential Impact:

1\. Broken Object Level Authorization (BOLA) : Inadequate authorization checks allowing attackers to access or manipulate other users' data.

An attacker alters the user ID parameter in the API request to access another user's account details:

Potential Impact:

• Unauthorized access to sensitive user information.

• Unauthorized transactions on behalf of other users.

2\. Broken Authentication: Weak authentication mechanisms enabling attackers to compromise API keys or tokens.

An attacker performs credential stuffing using commonly used passwords to gain access to user accounts due to lack of multi-factor authentication (MFA).

Potential Impact:

• Account takeover.

• Unauthorized transactions and data access.

3\. Excessive Data Exposure: APIs returning more data than necessary, including sensitive information.

API responses include sensitive fields such as full credit card numbers or personal identification numbers, which can be intercepted and misused.

Potential Impact:

• Privacy breaches.

• Compliance violations (e.g., GDPR, PCI DSS).

4\. Lack of Resources & Rate Limiting: Absence of proper rate limiting allows attackers to overwhelm the API.

An attacker initiates a Denial of Service (DoS) attack by sending a massive number of requests, causing service degradation or downtime.

Potential Impact:

• Service unavailability for legitimate users.

• Potential financial losses due to missed trades.

5\. Mass Assignment: APIs automatically bind client inputs to data models without proper filtering.

An attacker includes additional parameters in the request to escalate privileges:

Potential Impact:

• Unauthorized privilege escalation.

• Compromise of administrative functions.

6\. Security Misconfiguration: Improper configuration of security settings leading to vulnerabilities.

The API server is configured with default error messages that disclose stack traces or server information, aiding attackers in reconnaissance.

Potential Impact:

• Information disclosure.

• Facilitation of targeted attacks.

7\. Injection Attacks: Failure to sanitize inputs allows attackers to inject malicious code.

An attacker injects SQL code in the order placement parameters:

Potential Impact:

• Data corruption or loss.

• Unauthorized data access.

8\. Race Condition in Transfer Processes: Exploitation of timing flaws in the transfer processes to double-spend or manipulate account balances.

An attacker initiates multiple withdrawal requests in rapid succession before the system updates the account balance, leading to an overdraft or double-spend situation.

Potential Impact:

• Financial loss due to unauthorized fund withdrawals.

• Inaccurate account balances.

• Compromise of transactional integrity.

9\. Vulnerabilities in KYC Processes: Weaknesses in the KYC system that allow attackers to bypass identity verification or compromise sensitive data.

Attack Scenario 1: Bypassing KYC Verification

An attacker exploits insufficient validation in the KYC document upload process by submitting forged or manipulated documents that are accepted by the system.

Potential Impact:

• Unauthorized account creation and access.

• Facilitation of fraudulent activities such as money laundering.

Attack Scenario 2: Data Leakage of KYC Information

An attacker gains access to stored KYC documents due to improper access controls or insecure storage mechanisms.

Potential Impact:

• Exposure of sensitive personal information.

• Legal and compliance repercussions (e.g., GDPR violations).

• Damage to the platform's reputation.

10\. Cross-Site Request Forgery (CSRF) Unauthorized commands are transmitted from a user that the web application trusts.

An attacker crafts a malicious web page that sends authenticated requests to the API when a logged-in user visits it, performing actions without the user's consent.

Potential Impact:

• Unauthorized fund transfers.

• Unintended order placements or cancellations.

11\. Insufficient Session Expiration: Sessions remain active beyond a reasonable period, increasing the window of opportunity for attackers.

An attacker obtains a user's session token (e.g., through XSS or phishing) and can use it indefinitely due to lack of session expiration.

Potential Impact:

• Prolonged unauthorized access to user accounts.

• Increased risk of account compromise.

Executive Summary

F-2024-6658 | KYC Integrity Issue: Verified User Information Can Be Changed Without Re-verification

Users who have completed Basic and Advanced KYC (Know Your Customer) verification can change their personal information without going through the required re-verification process. This means that after passing identity checks, they can alter their details at any time without further review, which weakens the KYC process. This vulnerability allows users to manipulate their verified identities, potentially leading to fraudulent transactions, identity theft, and other illegal activities. It also jeopardizes compliance with regulatory requirements like anti-money laundering (AML) laws.

F-2024-6657 | Server-Side Request Forgery (SSRF)

The application is vulnerable to Server-Side Request Forgery (SSRF), where an attacker can make the server send requests to any external location by controlling request URLs or endpoints. This happens because the server processes user-supplied URLs without proper validation. While this SSRF vulnerability is limited to sending requests to external servers—without access to internal services or sensitive data—it still poses significant risks. Attackers could exploit this to proxy malicious requests through the server, perform port scans on external systems, or misuse the server's trust to interact with other services, leading to unauthorized actions or information disclosure.

F-2024-6521 | IP Spoofing in Login History via X-Forwarded-For Header

The application's login history feature records IP addresses based on the X-Forwarded-For (XFF) header without proper validation. Attackers can manipulate this header to spoof their IP address in the login records. By spoofing their IP address, attackers can hide their true location, bypass IP-based security measures, and potentially evade detection. This undermines the reliability of security logs, making it difficult for users and administrators to identify suspicious activities or unauthorized access. It can also hinder incident response efforts by providing misleading information about the source of an attack

The exchange platform provides two primary APIs:

Spot Trading API: Enables clients to perform spot trading operations, including market data retrieval, account management, and order execution.

USDT Swap Trading API: Allows clients to trade perpetual contracts settled in USDT, offering functionalities similar to the spot trading API but tailored for derivatives trading.

Assets Identification

• User Data: Personal information, account balances, and transaction history.

• Authentication Credentials: API keys, tokens, and secret keys used for accessing the APIs.

• Financial Transactions: Order placements, cancellations, and trade executions.

• Market Data: Real-time and historical price information.

The scope of the project includes the following:

Assets in Scope