WebApp Sec mailing list archives
RE: Hacme Bank
From: "Don Tuer" <don.tuer () cgi com>
Date: Tue, 14 Sep 2004 09:31:40 -0400
Hi Rogan: I understand that the Hacme site is intentionally buggy my point was that it's quite surprising that Mark sees these very basic errors continuing to be made by web developers. Basic training in the .NET platform and some on line reading will emphasize to the developer not to make these mistakes. I do appreciate the work Mark did on the Hacme site and am sure it's going to be valuable to help emphasize not to make these mistakes. Thanks Don -----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Tuesday, September 14, 2004 2:53 AM To: Don Tuer Cc: webappsec () securityfocus com Subject: Re: Hacme Bank Hi Don, Trust me when I say you are preaching to the choir here. Mark has been leading this list and discussions here for a number of years - I think it is safe to assume that he knows a little about web app security. Hacme Bank is an application designed to point out the mistakes that too many developers make. It is *deliberately* buggy. It is intended as a demonstrator that you can use to explain to management and clients (with appropriate license?) just how important all those things that you mention are. Hope that clears up any misunderstandings. Rogan Don Tuer wrote:
Hi Mark: Thanks for releasing this tool, looks pretty neat. But I must say that I can't understand why these types of errors are still being made in Web applications. Basically if you follow a few simple rules
you
will avoid these errors: - Don't trust user input (mitigates hidden form counts) - Validate all input on the server (mitigates Cross site scripting) - Use stored procedures for all database access (mitigates SQL injection) - Don't send verbose error logs to end users (mitigates information release) - Encrypt client cookies (mitigates cookie manipulation) These things are really easy to do using .NET and any developer that
has
taken the time to do some basic review of Microsoft's documentation
will
see this... Thanks Don -----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: 08 September 2004 14:04 To: webappsec () securityfocus com; pen-test () securityfocus com Subject: Hacme Bank Just to let you know in the next hour or so the links should go live
to
our new free tool, Hacme Bank on the Foundstone web site (http://www.foundstone.com/s3i). You can see the press release here; http://www.tmcnet.com/usubmit/2004/Sep/1071232.htm It's an online banking application written in C# ASP.NET (requires IIS and .NET framework 1.1 to install) with a set of security holes
replicating
real world things we have found in client engagements over the last 9
months.
It serves as a "real world" training application for web application pen testing and education for developers. Its free for non-commercial use and we are already working on the next version to include some more user management issues. All of the lessons are screen captured and documented so you can step through all of the issues. These are in a "User and Solution Guide"
in the web root by default. It is not designed to be a good benchmarking platform for automated tools but it is interesting to compare the results of your favorite tools
with
the holes in the bank (we have done this) or put it behind a "web app firewall" (no uptake from my recent challenge I am afraid, go figure!). The experienced can start attacking the login field when installed and the less experienced can walk through the lesson plans. Mark
-- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Hacme Bank Mark Curphey (Sep 09)
- Re: Hacme Bank Rush Molekilla (Sep 09)
- Re: Problem with Hacme Bank Install Martin Mkrtchian (Sep 09)
- RE: Hacme Bank Al (Sep 10)
- RE: Hacme Bank Don Tuer (Sep 13)
- Re: Hacme Bank Rogan Dawes (Sep 15)
- RE: Hacme Bank Don Tuer (Sep 15)
- RE: Hacme Bank Frank Knobbe (Sep 16)
- RE: Hacme Bank Don Tuer (Sep 13)
- <Possible follow-ups>
- RE: Hacme Bank Mark Curphey (Sep 10)
- RE: Hacme Bank raza (Sep 16)
- RE: Hacme Bank King, Stuart (REHQ-LON) (Sep 13)
- RE: Hacme Bank Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 16)
- Re: Hacme Bank Jérôme (Sep 18)
- Re: Hacme Bank KrK (Sep 18)