Multiple Demos and misc files. Contribute to o2platform/Demos_Files development by creating an account on GitHub. Foundstone Hacme Bank v™ Software Security Training Application User and Solution Guide Author: Shanit Gupta, Foundstone Inc. April 7, Proprietary. Hacme Bank simulates a “real-world” web services-enabled online banking application, which was built with a number of known and common.

Author: Mokus Dikasa
Country: Spain
Language: English (Spanish)
Genre: Environment
Published (Last): 23 June 2012
Pages: 270
PDF File Size: 15.2 Mb
ePub File Size: 6.12 Mb
ISBN: 412-6-70953-404-5
Downloads: 85399
Price: Free* [*Free Regsitration Required]
Uploader: Zulugor

This can be local or remote b.

Run the executable and accept the defaults on any prompts that hcme and allow the un-packager to complete. The application layer invokes the web services to execute the requests of the user.

Figure 2 displays the license agreement that must be accepted in order to install the tool. While it has not been tested on other versions of Windows, we hacm believe that it should execute successfully on all Windows operating systems that can support the 1. Foundstone uses this application extensively in our Ultimate Web Hacking and Building Secure Software training classes. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.

HacmeBank & HacmeCasino in the Cloud | Free Windows Security Trainings

On clicking Next, the user is then asked to specify a name for the virtual directory that will be created. The drop down list provides a list of 15 predefined queries that the administrator can use to manage the database. Features of the Application: All Rights Hacmw – 8 Figure 9 Figure 10 www.

Once again we can ignore the sessionID variable and enter the userName field obtained from the previous attack. By default Paros hcme port At the same time, most security researchers would agree that hcme or sadly often the absence of data validation is the leading cause of software security vulnerabilities.


Posted Messages can be used by the users of the bank to post on messages for all users of the application to view. All Rights Reserved – 69 Figure 58 Similarly we can invoke other methods to get more detailed information about all the users.

We have found that students in these classes appreciate the real-world nature and the ability to test their skills against an application with no legal liability.

NET framework version 1. All Rights Reserved – 6 Figure hace Figure 6 www. All Rights Reserved – 13 Figure 16 Furthermore, your browser must be configured to use the web proxy.

Installing Hacme Bank on Windows 7

Web services may be vulnerable to all the attacks that a web application is vulnerable to. Figure 26 We first query the unique table id using the injection www. The hacne wizard supports both SQL Authentication and Windows Authentication the default and recommended option. This allows the user to audit the account as required.

This clearly shows us that although sessionID is accepted, it is not used to enforce any authentication or authorization mechanisms. The second component of the tool is the web site which has the presentation logic.

All Rights Reserved – 39 Figure 34 Replace haxme viewstate information with the viewstate information belonging to another user. These external accounts can be guessed or brute forced.

This compensation may impact how and where products appear on this site including, for example, the order in which they bsnk. The internet communication is far less secure than the intranet communication which requires the security mechanism such as authentication, authorization, confidentiality and data integrity in web services as well.


Penetration Testing: RE: Hacme Bank

All Rights Reserved – 18 The admin interface provides features mentioned as under a. It is JAVA based and may be downloaded together with the source code from http: Also, if you’re a screencaster, feel free to use them in your video tutorials. All Rights Reserved – 7 Figure 7 Figure 8 www. The current version of Hacme Bank is completely web services hadme. Register Help Remember Me? If IIS is already installed you can verify the required components are enabled through the Control Panel:.

Every user is assigned atleast 2 bamk and can have at most 4 different accounts. By clicking on any one of these methods a user will be able to determine the expected input along with the datatype. This is displayed nacme the screen shot below. All Rights Reserved – bak Figure 59 The above display screen shot displays the ability of an unauthenticated attacker to transfer funds from one account to another.

For Hacme Bank users the response key is embedded in the web page for ease of use.

It is initialized to 5 and as you make multiple failed login attempts it is decremented until it is 0 at which point the specified user is locked out.