Blockchain is a powerful foundation for an ecosystem of new technologies, but it does not exist in a vacuum. Blockchain protocols are leveraged within additional software infrastructure that performs functions such as providing a user interface to the blockchain protocol, digital asset use/retrieval, the creation of fiat exchange markets, providing financial investment instruments, and other activities which require off-chain data or system interactions. This means that blockchain and cryptocurrency project security typically involves a significant amount of traditional application security testing to discover vulnerabilities before they are exploited by malicious actors.

In the recent past, Web 2.0 infrastructure supporting cryptocurrency and blockchain applications have been exploited to provide attackers with watering-hole style phishing attacks[1][2], manipulate the perceived price of digital assets through Web 2.0-based marketplaces[3], and attack cryptocurrency exchange trading functions[4].  These attacks prove that traditional architecture plays an important role in the use and user experience of blockchain and cryptocurrency technologies. By receiving application penetration testing for the elements of your blockchain project that utilize traditional application infrastructure, you can mitigate these vulnerabilities before they are exploited by bad actors.

Components Tested

• Mobile applications
• Web applications
• Connections to blockchain mechanisms (e.g., wallets, nodes)
• Web-based Application Programming Interfaces (APIs)
• Application servers which utilize or interact with the blockchain

Common Vulnerabilities

The majority of blockchain applications are based on Web 2.0 platforms or mechanisms and are therefore affected by vulnerabilities common to Web 2.0. For additional details, including further technical information for most of the vulnerabilities below, CrossCountry recommends reviewing the materials within the Open Web Application Security Project (OWASP) top ten report, available here: https://owasp.org/www-project-top-ten/

Insufficient or Improper Access Control

Data may not be properly protected by application programming interfaces (APIs). Typically, this issue arises in systems which have complex or custom role-based or ownership-based access control models. If exploited, vulnerabilities in this class allow attackers to gain access to protected/confidential information from within the affected application.

Cryptographic Failures

Cryptographic operations in an application which are missing, misused, or misconfigured while attempting to protect sensitive materials within applications are classified as cryptographic failures. An example of a cryptographic failure might be the use of a string-encoding algorithm instead of an encryption algorithm to store sensitive user data, or the use of encryption to store passwords rather than a hashing algorithm. When these vulnerabilities are present in a system, it typically increases the amount and severity of any damage done using other kinds of exploitable vulnerabilities, since data which is supposed to be secret will be available to attackers.

Injection

Injection security issues occur when attackers can insert unauthorized code into an application. This vulnerability is found in web application user interfaces (Cross Site Scripting), back-end routines/API calls which interact with the database (SQL injection), or in serialization/deserialization code used to store or export data (object injection). Exploitation of this type of vulnerability typically causes significant impacts to user and data security.

Security Misconfiguration

Vulnerabilities in this class tend to affect projects which utilize many software packages such as frameworks and/or services together. The increased complexity of these projects means it is easier to include default configurations which have security vulnerabilities or to misconfigure a service which causes it to become vulnerable to a security flaw. While the impact of exploitation of these vulnerabilities ranges from low to critical, these vulnerabilities are typically easier to discover and prevent as a part of secure developer operations or within an application security test.

Vulnerable and Outdated Software Components

Vulnerable or outdated security components typically arise in large, multi-software projects which are complex to build or deploy. Complex software products usually contain a significant number of software components which must be monitored and updated without affecting application design or uptime. If an enterprise is unable to successfully update all software packages, then vulnerabilities which allow attackers to exploit underlying software packages may be included in the final product.

Insufficient Identification and Authentication Protections

Applications that do not provide protections against online brute force attacks, credential stuffing, or which have authentication bypass vulnerabilities suffer from this category of vulnerability. Typically, authentication bypass vulnerabilities are exploited by skilled attackers, whereas low-sophistication actors will attempt to leverage third-party breaches to perform credential stuffing or brute force attacks.

Business Logic Failures

Business logic failures occur when the logic of the application fails to consider edge cases in input or operations which can be abused to favor the attacker in some manner.  A common example of this vulnerability is an application which issues a credit to an account after an attacker modifies the value of an item in their cart to a negative number.

[1] BadgerDAO hack (https://badger.com/technical-post-mortem)

[2] Monero website malware (https://arstechnica.com/information-technology/2019/11/official-monero-website-is-hacked-to-delivercurrency-
stealing-malware/)

[3] Cryptokitty price manipulation via https://hackernoon.com/how-i-beat-cryptokitties-f9aa71c03c87

[4] https://portswigger.net/daily-swig/jaw-dropping-coinbase-security-bug-allowed-users-to-steal-unlimited-cryptocurrency