With the amount of money and attention entering the burgeoning cryptocurrency market, it’s no surprise that crypto exchanges run the high risk of being hacked. Especially considering that many cryptocurrency transactions are irreversible, further raising the stakes.
Based on the experience of testing dozens of crypto exchanges, we’ve developed a methodology based on the OWASP Testing Guide with customized checks and business logic of cryptoсurrency exchanges. It takes into account typical assets, functions and common vulnerabilities for this type of product.
Usually, the scope of work for a crypto exchange includes:
- Grey-box web application security assessment
- API security assessment
- Mobile security assessment (optional)
The objectives of the web assessment are:
- Perform application threat modeling
- Circumvent authentication and authorization mechanisms
- Escalate user privileges
- Hijack accounts belonging to other users
- Violate access controls placed by the administrator
- Alter data or data presentation
- Corrupt application and data integrity, functionality and performance
- Circumvent application business logic
- Circumvent application session management
- Break or analyze the use of cryptography within user-accessible components
- Check blockchain implementation vulnerabilities
A consultant will provide:
- a proof of vulnerability (PoV) and remediation recommendations
- a detailed gap report indicating business risks
This project is limited by the scope of this document. The following security tests shall be considered Out of Scope for this assessment:
- Internal networks assessment
- Application-level Denial of Service testing
- Physical penetration testing
- Social engineering testing
The following section describes the suggested approach which is based on the latest version of the OWASP Testing Guide, complemented by our own proprietary security testing process and internal experience.
Areas for assessing:
- Authentication: Consultant will evaluate the adequacy of the application’s authentication control mechanism as it processes the identity of individuals or entities.
- Authorization: Consultant will evaluate the efficacy of the application’s authorization control mechanism as it enforces which users may undertake which actions on which data through the application’s workflow.
- Session Management: Consultant will evaluate the adequacy of the application’s session management control mechanism as it traces the activities performed by authenticated application users.
- Data Validation: Consultant will evaluate the adequacy of the application’s input controls as the application processes inputs received from different interfaces, and/or, entry points by various injection attacks.
- Business Logic Bypass: Consultant will determine the possibility to manipulate balances, trading actions, deposit/withdrawals functions, transaction tampering, specific business logic, and KYC/AML processes.
- Other Tests: Consultant will assess the application based on other attacks, tampering methods, and manipulations commonly used by hackers.
Usually, the Consultant is provided with 3 test accounts on a testing/production environment: 1 unverified user and 2 KYC verified users with test balances.
If there is a unique distribution on a role on the exchange, the customer must describe the access rights for each role, and provide 2 testing accounts for each role.
Additionally, the admin panel can be in scope if requested, otherwise, the goal is just trying to get unauthorized access to it.
5.2 Typical Functions
- Password recovery
- Session management
- Upload documents
- Pass verification
- Change password
- Security Settings
- Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA)
- Withdrawal policy
- Place an order
- Cancel order
- Market overview
- Create API key
- Edit API key
- Authenticated interaction with API
- Non-exchange applications
- Third-party applications
5.3 Testing Workflow
- Conduct Search Engine Discovery and Reconnaissance for Information Leakage
- Fingerprint Web Server
- Review Webserver Metafiles for Information Leakage
- Enumerate Applications on Webserver
- Review Webpage Comments and Metadata for Information Leakage
- Identify application entry points
- Map execution paths through the application
- Fingerprint Web Application Framework
- Fingerprint Web Application
- Fingerprint Blockchain Applications
- Blockchain Nodes
- Smart Contracts
- Map Application Architecture
5.3.2 Testing Checklist
- Configuration and Deploy Management Testing
- Test Network/Infrastructure Configuration
- Test Application Platform Configuration
- Test File Extensions Handling for Sensitive Information
- Review Old, Backup and Unreferenced Files for Sensitive Information
- Enumerate Infrastructure and Application Admin Interfaces
- Test HTTP Methods
- Test HTTP Strict Transport Security
- Test HTTP Verb Tampering
- Test RIA cross-domain policy
- Test File Permission
- Test SSL/TLS
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Session Management Testing
- Data Validation Testing
- Testing for Reflected Cross-Site Scripting
- Testing for Stored Cross-Site Scripting
- Testing for HTTP Parameter pollution
- Testing for SQL Injection
- Testing for XML Injection
- Testing for SSI Injection
- Testing for XPath Injection
- IMAP/SMTP Injection
- Testing for Code Injection
- Testing for Command Injection
- Testing for incubated vulnerabilities
- Testing for HTTP Splitting/Smuggling
- Test Upload of Unexpected File Types
- Test Upload of Malicious Files
- Test for Sensitive Data Exposed in Query Parameters
- Client-Side Testing
- Error Handling
- Business Logic Testing
- Exchange-Specific Functionality Testing
- Test User Input for XSS and Template Injection
This check is Exchange-specific because in most exchanges the admin panel functionality has been implemented for managing client accounts (including verification), therefore account verification fields and all other parameters should be tested on a blind XSS given this.
- Test transfer of funds between internal accounts for Race Conditions and Rounding Errors
- Testing deposit function for blockchain implementations vulnerability (where applicable)
- Race attack and other Time of Check versus Time of Use specific attacks
- Alternative history attack
- Finney attack
- Omni protocol validity attack (USDT)
- Partial Payments (XRP)
- False Top-Up Attack (EOS)
5.4 Test Mapping
|Configuration and Deploy Management Testing|
|Identity Management Testing|
|Session Management Testing|
|Data Validation Testing|
|Business Logic Testing|
|Exchange Specific Functionality Testing|
The suggested methodology includes a short version of the OWASP Testing Guide’s most valuable checks which can lead to high-risk issues at crypto exchanges. It’s also complemented by proprietary security testing processes, our experience of participating in penetration testing, and from performing and participating in bug bounty programs for crypto exchanges.
This version, which is the first draft, will go under a peer review of security auditors and cryptocurrency exchange developers. Once reviewed, this document will become a public methodology.