WebApp Sec mailing list archives
RE: Hacme Bank
From: Mark Curphey <mark () curphey com>
Date: Fri, 10 Sep 2004 00:49:08 -0400 (EDT)
Glad you liked the blind SQL injection;-) My personal fav is the poor crypto one in the account fields which is seen all too often in the real world but rarely found. After 5 (I think) bad attempts we reset your session which would see any subsequent request redirected to the login page. It maybe that. Try and send me the results off-line (so we avoid support on webappsec) and we can fine tune any configs or make changes if you have found a bug. Cheers Mark ---- Jeremy Junginger <jj () act com> wrote:
Great tool! Lesson 1 a nice way to integrate the nexgenss advanced sql injection techniques into a simulated environment. I have a question, though, and it may be misconfiguration on the server side on my part, but after I've logged in successfully with inserted account credentials and I click on account details, I get thrown back to http://redmrtg/hacmebank/Login.aspx?lmsg=Re-login Any tips? Thanks! -----Original Message----- From: Rush Molekilla [mailto:molekilla () gmail com] Sent: Thursday, September 09, 2004 6:28 AM To: Mark Curphey Cc: webappsec () securityfocus com; pen-test () securityfocus com Subject: Re: Hacme Bank Nice app! The only problem I had while trying to hack ASP.NET Application in localhost with my tool (Ecyware GreenBlue Inspector) is that both use the .NET thread pool. But nice ASP.NET, super great. Thanks, Rogelio Morrell C. Ecyware On Wed, 8 Sep 2004 10:03:43 -0400, Mark Curphey <mark () curphey com> wrote:Just to let you know in the next hour or so the links should go live to our new free tool, Hacme Bank on the Foundstone web site (http://www.foundstone.com/s3i). You can see the press release here; http://www.tmcnet.com/usubmit/2004/Sep/1071232.htm It's an online banking application written in C# ASP.NET (requires IIS and .NET framework 1.1 to install) with a set of security holes replicating real world things we have found in client engagements over the last 9 months. It serves as a "real world" training application for web application pen testing and education for developers. Its free for non-commercial use and we are already working on the next version to include some more user management issues. All of the lessons are screen captured and documented so you can step through all of the issues. These are in a "User and Solution Guide" PDF in the web root by default. It is not designed to be a good benchmarking platform for automated tools but it is interesting to compare the results of your favorite tools with the holes in the bank (we have done this) or put it behind a "web app firewall" (no uptake from my recent challenge I am afraid, go figure!). The experienced can start attacking the login field when installed and the less experienced can walk through the lesson plans. Mark------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Hacme Bank Mark Curphey (Sep 09)
- Re: Hacme Bank Rush Molekilla (Sep 09)
- Re: Problem with Hacme Bank Install Martin Mkrtchian (Sep 09)
- RE: Hacme Bank Al (Sep 10)
- RE: Hacme Bank Don Tuer (Sep 13)
- Re: Hacme Bank Rogan Dawes (Sep 15)
- RE: Hacme Bank Don Tuer (Sep 15)
- RE: Hacme Bank Frank Knobbe (Sep 16)
- RE: Hacme Bank Don Tuer (Sep 13)
- <Possible follow-ups>
- RE: Hacme Bank Mark Curphey (Sep 10)
- RE: Hacme Bank raza (Sep 16)
- RE: Hacme Bank King, Stuart (REHQ-LON) (Sep 13)
- RE: Hacme Bank Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 16)
- Re: Hacme Bank Jérôme (Sep 18)
- Re: Hacme Bank KrK (Sep 18)