RE: Mock Penentration Test Site

From: Clement Dupuis (cdupuis@cccure.org)
Date: Fri Aug 20 2004 - 20:48:42 EDT

• Next message: Kevin Sheldrake: "Re: XPSP2 compatability"
• Previous message: IndianZ: "Re: Novell Netware 4 or higher password cracker"
• In reply to: Skander Ben Mansour: "Re: Mock Penentration Test Site"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The buggy bank is fun to play with.

The 10 or so bugs within the buggy bank are not as deep as one would think.
You have to remember that this is a perl script emulating everything. There
is one place you can perform an SQL injection attack, there is one XSS,
there is a cookie injection, bad memory management, account harvesting,
password harvesting to name a few.

It is always fun to see people sit in front of it and you tell them to find
what is wrong with it. Web application testing always looks easy on slides
but it is very different when you face the real thing.

It is not a bad tool at all. In order to get it going fast on my classroom
computer I would simply install apache from a setup file and then they would
run a batch file that would set everything up for them as far as the
httpd.conf and a few other things are concerned.

Contact me directly if you wish to have more details, I might still have my
documentation and files that I used in class when I was teaching this stuff.

Take care

Clement
http://www.professionalsecuritytesters.org

> -----Original Message-----
> From: Skander Ben Mansour [mailto:securityfocus@benmansour.net]
> Sent: Friday, August 20, 2004 6:38 AM
> To: jwoloz
> Cc: pen-test@securityfocus.com
> Subject: Re: Mock Penentration Test Site
>
> Hi Jason,
>
> David Rhoades, who teaches at SANS, developed a fake banking website
> that intentionally includes several vulnerabilities.
>
> I believe you can use and modify the code under the GPL. It is available
> at the following link:
>
> http://www.mavensecurity.com/webmaven
>
> From the author web site:
> "WebMaven (better known as Buggy Bank) is an interactive learning
> environment for web application security. It emulates various security
> flaws for the user to find. This will enable users to safely & legally
> practice web application vulnerability assessment techniques. In
> addition, users can benchmark their security audit tools to ensure they
> perform as advertised. "
>
> I hope it helps.
>
> Best Regards,
>
> Skander Ben Mansour, CISSP
> ---
> http://www.benmansour.net/
>
>
> jwoloz wrote:
> > Hey All
> > I am trying to create a Red Teaming Exercise and I was wondering if
> anyone knows of a full site I can download that will. Anything will do as
> an example, with CGI, PHP, JSP , ASP, forms and database. Basically
> anything that will resemble a real site with real vulnerabilities. i dotn
> have the time to build a fully functioning site from scratch and no one at
> work wants to give me one. Can anyone help?
> > -Jason
> >
> > ------------------------------------------------------------------------
> ------
> > Ethical Hacking at the InfoSec Institute. All of our class sizes are
> > guaranteed to be 12 students or less to facilitate one-on-one
> interaction
> > with one of our expert instructors. Check out our Advanced Hacking
> course,
> > learn to write exploits and attack security infrastructure. Attend a
> course
> > taught by an expert instructor with years of in-the-field pen testing
> > experience in our state of the art hacking lab. Master the skills of an
> > Ethical Hacker to better assess the security of your organization.
> >
> > http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
> > ------------------------------------------------------------------------
> -------
> >
> >
>
> --------------------------------------------------------------------------
> ----
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a
> course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
> --------------------------------------------------------------------------
> -----

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------

• Next message: Kevin Sheldrake: "Re: XPSP2 compatability"
• Previous message: IndianZ: "Re: Novell Netware 4 or higher password cracker"
• In reply to: Skander Ben Mansour: "Re: Mock Penentration Test Site"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:00 EDT