The Adversarial Mindset: Hand Dryers and Pokémon Cards
Introduction
I got in trouble a lot at school, mostly for talking to people but one time sticks out to me in particular. I was probably in 4th or 5th grade and I walked into the bathroom to find a group of younger kids trying to stick a Pokémon card into the hand dryer. I didn't know why they were doing it and didn't really care, but my first thought was "I could probably do it" so I did it and went about my day. Later on I got called to the principal's office because they told me as soon as they were asked about it. I had to get it unstuck (which took just as little time as getting it stuck) and to this day it remains a great example of the "adversarial mindset". I'm going to go over this example and how the principles can be applied to hacking among other things.
The Hand Dryer
The hand dryer was a simple enough device, a big box on the wall with a singular horizontal slit at the bottom. You put your hands under it and the air comes out and dries your hands. Most people will look at hand dryers and everything else and think "How do I use this?" they figure out how to use it as intended and go on about their day. This brings us to the first step of the adversarial mindset, instead of thinking about how to use it, you think about how to break it. When we think back to the design of the hand dryer it only has one opening we can think of this as an "attack vector". Now with more years of experience, I can actually think of another attack vector, the sensor, and this is how you have to think of anything that you're trying to exploit, you start with mapping out all the functionality and choose which ones can become attack vectors. In this scenario the younger kids had already given me what I refer to as a lead, a lead is anything that makes you go "Interesting!" when it happens, on a website this might look like a weird response from an endpoint or an unexpected output from a search box, anything that piques your interest. In my case, it was the fact that the Pokémon card could fit into the air hole, once you have a lead your goal becomes exploiting this unexpected behavior.
On a website, this might look like fuzzing for different responses or even just messing around with the already interesting response to see how far you can take it. In this case, the limiting factor was how far the Pokémon card could go into the machine. The younger kids had failed because they were taking what could be seen as a brute force approach, trying to shove the card up as far as possible, but it wouldn't stay, so I had to come up with an approach to get the card stuck. This is when you carefully analyze your attack vector to notice things that the average user wouldn't think about, in my case I noticed that the opening was wider than the Pokémon card and the inside of the machine was even wider than the entry hole, meaning the easiest way to get the card stuck would be to make to card wider than the entry hole after it had been inserted.
The Pokémon card
You may be able to tell where this is going already, but I'll continue to break it down just to be thorough. Next, we need to consider the properties of the Pokémon card, we've established that it's thin enough to fit into the entry but too long to be inserted all the way (teehee), it's also made of paper, so the shape can be changed. Now when we consider all of these factors our path becomes glaringly clear, we need to modify the shape of the Pokémon card to fit our needs. If you've ever folded cardboard you'll notice that after it's folded it will try to return to its original shape, meaning if we can compress the Pokémon card to fit inside the opening it should expand out, so if we can compress it enough to fit all the way past the entry the rest should take care of itself. So I folded the card up and stuck it in, and of course, because the card expands it gets stuck right past the entrance and becomes lodged there. Now relating the Pokémon card to a real world scenario, the Pokémon card acts as your payload, a payload can be anything from an HTTP request to a input in an information field, you have to analyze the attributes of your payload in its current form and see how you can modify it to fit your needs.
Now the exploit has been thoroughly explained, but there are still a few more things that we can look at here, the main one being how I knew how small the card needed to be to fit all the way in. Well if you remember the card would stop at a certain point when it wasn't folded, this is a vital piece of information because it tells us exactly how big the entrance is. This is an example of the type of mindset that you should take when hacking, carefully analyze behaviors, figure out what they mean in the context of the target, the more information you have the closer you will be to crafting an effective exploit.
Bonus Round!
Well since we're thinking in an adversarial mindset already let's take it a step further, now what I did wasn't very malicious, just kind of inconvenient at best, but let's say I was a really horrible kid and wanted to take it a step further, we can analyze our target a bit more and do something called "chaining" the vulnerabilities. We already got the card stuck, and if you think about the properties of the hand dryer and the Pokémon card you'll quickly realize that the hand dryer (which is blowing out hot air) is a source of heat and the Pokémon card is flammable. Since the dryer isn't constantly blowing the risk of the Pokémon card becoming hot enough to catch on fire is pretty low, but if you remember from the previous section I mentioned another attack vector, the sensor. So if I were to find a way to keep the sensor activated constantly the exploit that I found goes from a simple annoyance to full-blown arson. It's the same way in web applications, a self XSS is generally a low-severity bug, but if you find a CSRF vulnerability that allows you to activate that XSS, it becomes a much more serious bug.
Conclusion
This way of thinking can be applied to anything, but it's a fundamental mindset when hacking that will lead you to discover issues that most people would never even consider. You should practice this as much as possible when you're browsing the web and even when walking around on the street "Can I climb that tree" "That gate looks unlocked" "I wonder what would happen if I put letters in the DOB section", these are all examples of the adversarial mindset that you should be training yourself on. Hopefully, I've given you a good introduction to the so-called "adversarial mindset" and you can walk away better understanding how attackers think. If you have any questions or want to know how you can apply this to your own website or application feel free to reach out and I can tell you what my eyes go to first!