Cryptocurrency Exchange Security Assessment Methodology

CRYPTOCURRENCY EXCHANGE SECURITY ASSESSMENT METHODOLOGY
Researches and investigations,

About

With the amount of money and attention entering the burgeoning cryptocurrency market, it’s no surprise that crypto exchanges run the high risk of being hacked. Especially considering that many cryptocurrency transactions are irreversible, further raising the stakes.
Based on the experience of testing dozens of crypto exchanges, we’ve developed a methodology based on the OWASP Testing Guide with customized checks and business logic of cryptoсurrency exchanges. It takes into account typical assets, functions and common vulnerabilities for this type of product.

1. Scope

Usually, the scope of work for a crypto exchange includes:

  • Grey-box web application security assessment
  • API security assessment
  • Mobile security assessment (optional)

2. Objectives

The objectives of the web assessment are:

  • Perform application threat modeling
  • Circumvent authentication and authorization mechanisms
  • Escalate user privileges
  • Hijack accounts belonging to other users
  • Violate access controls placed by the administrator
  • Alter data or data presentation
  • Corrupt application and data integrity, functionality and performance 
  • Circumvent application business logic
  • Circumvent application session management
  • Break or analyze the use of cryptography within user-accessible components
  • Check blockchain implementation vulnerabilities

3. Deliverables

A consultant will provide: 

  • a proof of vulnerability (PoV) and remediation recommendations 
  • a detailed gap report indicating business risks

4. Limitations

This project is limited by the scope of this document. The following security tests shall be considered Out of Scope for this assessment:

  • Internal networks assessment
  • Application-level Denial of Service testing
  • Physical penetration testing
  • Social engineering testing

5. Methodology

The following section describes the suggested approach which is based on the latest version of the OWASP Testing Guide, complemented by our own proprietary security testing process and internal experience.

Areas  for assessing:

  • Authentication: Consultant will evaluate the adequacy of the application’s authentication control mechanism as it processes the identity of individuals or entities.
  • Authorization: Consultant will evaluate the efficacy of the application’s authorization control mechanism as it enforces which users may undertake which actions on which data through the application’s workflow. 
  • Session Management: Consultant will evaluate the adequacy of the application’s session management control mechanism as it traces the activities performed by authenticated application users. 
  • Data Validation: Consultant will evaluate the adequacy of the application’s input controls as the application processes inputs received from different interfaces, and/or, entry points by various injection attacks. 
  • Business Logic Bypass: Consultant will determine the possibility to manipulate balances, trading actions, deposit/withdrawals functions, transaction tampering, specific business logic, and KYC/AML processes.
  • Other Tests: Consultant will assess the application based on other attacks, tampering methods, and manipulations commonly used by hackers. 

5.1 Pre-Requirements

Usually, the Consultant is provided with 3 test accounts on a testing/production environment: 1 unverified user and 2 KYC verified users with test balances. 

If there is a unique distribution on a role on the exchange, the customer must describe the access rights for each role, and provide 2 testing accounts for each role.

Additionally, the admin panel can be in scope if requested, otherwise, the goal is just trying to get unauthorized access to it.

5.2 Typical Functions

  1. Authentication
    1. Registration
    2. Login
    3. Password recovery
    4. Session management
  2. Verification
    1. Upload documents
    2. Pass verification
  3. Account 
    1. Registration
    2. Edit
    3. Change password
    4. Delete
  4. Security Settings
    1. Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA)
    2. Withdrawal policy
  5. Wallet
    1. Deposit
    2. Withdraw
    3. Transfer
  6.  Trading
    1. Place an order
    2. Cancel order
    3. Market overview
  7. API
    1. Create API key
    2. Edit API key
    3. Authenticated interaction with API
  8. Other
    1. Non-exchange applications
    2. Third-party applications

5.3 Testing Workflow

5.3.1 Reconnaissance

  1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage
  2. Fingerprint Web Server
  3. Review Webserver Metafiles for Information Leakage
  4. Enumerate Applications on Webserver
  5. Review Webpage Comments and Metadata for Information Leakage
  6. Identify application entry points
  7. Map execution paths through the application
  8. Fingerprint Web Application Framework
  9. Fingerprint Web Application
  10. Fingerprint Blockchain Applications
    1. Blockchain Nodes
    2. Smart Contracts
    3. dApps
  11. Map Application Architecture

5.3.2 Testing Checklist

  1. Configuration and Deploy Management Testing
    1. Test Network/Infrastructure Configuration
    2. Test Application Platform Configuration
    3. Test File Extensions Handling for Sensitive Information
    4. Review Old, Backup and Unreferenced Files for Sensitive Information
    5. Enumerate Infrastructure and Application Admin Interfaces
    6. Test HTTP Methods
    7. Test HTTP Strict Transport Security
    8. Test HTTP Verb Tampering
    9. Test RIA cross-domain policy
    10. Test File Permission
    11. Test SSL/TLS 
  2. Identity Management Testing
    1. Test Role Definitions
    2. Test User Registration Process
    3. Test Account Provisioning Process
    4. Test Account Suspension/Resumption Process
    5. Test Password Reset Process
  3. Authentication Testing
    1. Testing for default credentials
    2. Testing for bypassing authentication schema
    3. Testing for Weak password policy
    4. Testing for Weak password change or reset functionalities
    5. Testing for Weaker authentication in alternative channel
    6. Testing Multiple Factors Authentication
  4. Authorization Testing 
    1. Testing Directory traversal/file include
    2. Testing for Bypassing authorization schema
    3. Testing for Privilege Escalation
    4. Testing for Insecure Direct Object References
  5. Session Management Testing
    1. Testing for Bypassing Session Management Schema
    2. Testing for Cross-Site Request Forgery
    3. Testing for Session Fixation and Rotation
  6. Data Validation Testing
    1. Testing for Reflected Cross-Site Scripting
    2. Testing for Stored Cross-Site Scripting
    3. Testing for HTTP Parameter pollution
    4. Testing for SQL Injection
    5. Testing for XML Injection
    6. Testing for SSI Injection
    7. Testing for XPath Injection
    8. IMAP/SMTP Injection
    9. Testing for Code Injection
    10. Testing for Command Injection
    11. Testing for incubated vulnerabilities
    12. Testing for HTTP Splitting/Smuggling
    13. Test Upload of Unexpected File Types
    14. Test Upload of Malicious Files
    15. Test for Sensitive Data Exposed in Query Parameters
  7. Client-Side Testing
    1. Testing for DOM-based Cross-Site Scripting
    2. Test Cross-Origin Resource Sharing
    3. Testing for Cross-Site Flashing
    4. Testing for Clickjacking
    5. Testing WebSockets
    6. Test Web Messaging
    7. Test Local Storage
  8. Error Handling
    1. Analysis of Error Codes
    2. Analysis of Stack Traces
    3. Analysis of Logs
  9. Business Logic Testing
    1. Test Business Logic Data Validation
    2. Test Ability to Forge Requests
    3. Test Integrity Checks
    4. Test for Process Timing
    5. Test Number of Times a Function Can be Used Limits
    6. Testing for the Circumvention of Work Flows
    7. Test Defenses Against Application Mis-use
  10. Exchange-Specific Functionality Testing
    1. Test User Input for XSS and Template Injection

This check is Exchange-specific because in most exchanges the admin panel functionality has been implemented for managing client accounts (including verification), therefore account verification fields and all other parameters should be tested on a blind XSS given this.

  1. Test transfer of funds between internal accounts for Race Conditions and Rounding Errors
  2. Testing deposit function for blockchain implementations vulnerability (where applicable)
    1. Race attack and other Time of Check versus Time of Use  specific attacks
    2. BTC
      1. Alternative history attack
      2. Finney attack
      3. Vector76
    3. ETH
      1. ERC20 short address attack (ETH)
      2. ERC20 approve front-running attack (ETH)
      3. Smart Contracts Known Attacks
    4. Omni protocol validity attack (USDT)
    5. Partial Payments (XRP)
    6. False Top-Up Attack (EOS)

5.4 Test Mapping

All typical functions should be tested by the following methods:


Authentication Verification Account Security Settings Wallet Trading API Other
Configuration and Deploy Management Testing







Identity Management Testing







Authentication Testing







Authorization Testing







Session Management Testing







Data Validation Testing







Client-Side Testing







Error Handling







Business Logic Testing







Exchange Specific Functionality Testing







Summary

The suggested methodology includes a short version of the OWASP Testing Guide’s most valuable checks which can lead to high-risk issues at crypto exchanges. It’s also complemented by proprietary security testing processes, our experience of participating in penetration testing, and from performing and participating in bug bounty programs for crypto exchanges. 

This version, which is the first draft, will go under a peer review of security auditors and cryptocurrency exchange developers. Once reviewed, this document will become a public methodology. 

Search:

Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages

Tags:

FEEL FREE TO CONTACT US