Revenge of the Geeks: Hacking Fantasy Sports Sites
In this talk, I’ll show how all my IT security geek friends in the LASCON community can win the Super Bowl! I’ll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every “sneak play” required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested.
In this particular application, mistakes with the application’s session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account.
After we walk through the sack, I mean hack, we’ll abstract these techniques, tie them directly to best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football?
co-CEO and CTO, NT OBJECTives
Biography: | | Dan Kuykendall manages NT OBJECTives’ software development and handles NTO’s relationships with several partner companies. He has an extensive background in web application development and security. As part of the founding team, Dan has been involved in the methodologies and design of NTO’s flagship product since its inception. | | | Dan joins NT OBJECTives from Foundstone, where he was responsible for the portal interface to the company’s... Read More →
Attendance numbers do not account for private attendees. Get there early!
Remove this from your schedule?
This session is full and you may not be able to get back in.