Multiple Demos and misc files. Contribute to o2platform/Demos_Files development by creating an account on GitHub. Foundstone Hacme Bank v™ Software Security Training Application User and Solution Guide Author: Shanit Gupta, Foundstone Inc. April 7, Proprietary. Hacme Bank simulates a “real-world” web services-enabled online banking application, which was built with a number of known and common.

Author: Kazitilar Fenrishakar
Country: Myanmar
Language: English (Spanish)
Genre: Career
Published (Last): 23 November 2007
Pages: 241
PDF File Size: 15.30 Mb
ePub File Size: 3.86 Mb
ISBN: 733-9-43002-284-2
Downloads: 62518
Price: Free* [*Free Regsitration Required]
Uploader: Gule

Some of these services are exported for other applications can consume and utilize the functionality of Hacme Bank. All Rights Reserved – 63 One of the motivations to rebuild the Hacme Bank application was to introduce web services in the applications to simulate a real world scenario of distributed computing.

The above display screen shot displays the ability of an attacker to login the application without the knowledge of the actual challenge. All Rights Reserved – 39 Figure 34 Replace the viewstate information with the viewstate information belonging to another user. All Rights Reserved – 49 Figure 41 The attacker can then change the amount to and continue the request.

You may have to register before you can post: For Hacme Bank users the response key is embedded in the web page for ease of use.

Penetration Testing: RE: Hacme Bank

These may be obtained by visiting the Microsoft Websites listed in the following table: If IIS is already installed you can verify the required components are enabled through the Control Panel:. The users can create new accounts for any user, assign location and account type. The assumption is that only administrator will be able to calculate the response to the challenge officered.

By default the path is http: Its free for non-commercial use and we are already working on the next version to include some more user management issues.


Several other Hacme, Inc. These accounts are assigned cash balance to begin with. Paros is one such proxy that is commonly used within the web application testing community. To achieve this goal we provide a subset of features seen in all banking applications.

All Rights Reserved – 25 www. NET web application built using C. This causes security concerns where any user would be able to abuse the secrets the stored on the client side. All Rights Reserved – 46 2 Corresponding Figure s left hand side menu Choose the source account to be one of your accounts from the drop list.

Our instructors have performed hundreds of Web, e-commerce and application security assessments and managed security programs for government and corporate environments. All Rights Reserved – 57 Figure 48 The user is elevated to the privileges of Admin without actually performing the two factor authentication which is required for logging in Administrator. Once again we can ignore the sessionID variable and enter the userName field obtained from the previous attack.

The first step towards that is obtaining the name of all the column names of the table. The three accounts are bano mentioned below. Figure 15 shows the default login page. Login in the application use any valid set of credentials. All Rights Reserved – 40 Figure 35 The attacker was able to transfer funds from account number to after having logged in as a user that has access to only account In hacmw source of the page you will find the hidden field that has the viewstate information.

This information can usually be obtained from the UDDI registry for most real world applications. Developers often use this trick to improve the performance of the application. The comments section allows users to add notes hafme comments while requesting the loan. Figure 6 requests details of the database to be used. In the screen shot above we can obtain the account numbers of the users by predicting their userID.


HacmeBank & HacmeCasino in the Cloud | Free Windows Security Trainings

All Rights Reserved – 48 Figure 40 The request is trapped in Paros before being submitted to the user. All Rights Reserved – 47 Figure 39 www. In this case it happens to be All Rights Reserved – 18 The admin interface provides features mentioned as under a. The path on local host is http: Fundamentally, little has been done to tackle this problem, with most current offerings being only piecemeal with much promise but little delivery.

All user accounts have at least 2 bank accounts configured. The administrator will have unrestricted access to the database. Excuse me, is there an airport nearby large enough for a private jet to land? Features of the Application: Hacme Bank WebServices is the backend service that performs the processing log of the application.

Foundstone Hacme Bank v2.0 Software Security Training

All Rights Reserved – 6 Figure 5 Figure bacme www. Hac,e 1 to 4 of 4. This will display all the transactions belonging to account number which does not belong to Jane Chris as can be notes from Figure All Rights Reserved – 7 Figure 7 Figure 8 www. With the recent end of support for Windows XP I figured now was a good time to rewrite my tutorial on installing Hacme Bank.

All Rights Reserved – 56 Figure 47 Change the value of the Admin cookie to be true from false and hit continue. Also, if you’re a screencaster, feel free to use them in your video tutorials.