Multiple Demos and misc files. Contribute to o2platform/Demos_Files development by creating an account on GitHub. Foundstone Hacme Bank v™ Software Security Training Application User and Solution Guide Author: Shanit Gupta, Foundstone Inc. April 7, Proprietary. Hacme Bank simulates a “real-world” web services-enabled online banking application, which was built with a number of known and common.

Author: Tygorg Shak
Country: Somalia
Language: English (Spanish)
Genre: Photos
Published (Last): 27 August 2014
Pages: 379
PDF File Size: 13.81 Mb
ePub File Size: 14.63 Mb
ISBN: 200-5-85371-442-2
Downloads: 33575
Price: Free* [*Free Regsitration Required]
Uploader: Fenrisar

You can see the press release here; http: View Cookie Policy for full details. The address of the Microsoft SQL database server must be provided here along with the credentials to be used.

This is displayed in the screen shot below. More accounts can be added using the Admin interface. It shows the operations supported by the application using web services.

Login in the application use any valid set of credentials. In this case we do not have the sessionID so we input any value to check if the session is enforced. For Hacme Bank users the response key is embedded in the web page for ease of use.

All Rights Reserved – 26 Figure 23 So we input the text from step 2. All Rights Reserved – 20 Figure 19 www. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art bajk lab. To insure that the. Shanit Gupta, Foundstone Inc.

Paros is one such proxy that is commonly used within the web application testing community.

Installing Hacme Bank on Windows 7

All Rights Reserved – 56 Figure 47 Change the value of the Admin cookie to be true from false and hit continue. As discussed before, the application is preconfigured with default accounts with different account types and cash balances.


The response sets a cookie that sets the Admin privileges to false. This will display all the transactions belonging to account number which does not belong to Jane Chris as can be notes from Figure In the source of the page you will find the hidden field that has the viewstate information.

Hacme Bank – OWASP

Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. All Rights Reserved – 18 The admin interface provides features mentioned as under a. Quick Cookie Notification This site uses cookies, including for analytics, personalization, and advertising purposes.

The admin interface of the application allows the user to manage, control and configure the application. The next important piece of information will be the details regarding all the columns of the tables.

Penetration Testing: RE: Hacme Bank

If you continue to browse this site without changing your cookie settings, you agree to this use. The application allows users of the applications to transfer funds from one account to another.

The application allows its users to change the password associated with the username. Anyways the other software I stumbled across was called WebMaven For instance, data validation has often been neglected with performance impact being cited as the primary reason for doing so.

In this section we will show some of the vulnerabilities that the web services of Hacme Bank are hacm to.

The drop down list provides a list of 15 predefined queries that the administrator can ban, to manage the database. This enables us to have a real world deployment scenario where multiple applications are communicating with each other to perform an extended joint transaction. Just like web application, web services are susceptible to attacks and vulnerabilities.

In the screen shot above we can obtain the account numbers of the users by predicting their userID.


After 5 I think bad attempts we reset your session which would see any subsequent request redirected to the login page. The assumption is that only administrator will be able to calculate the response to the challenge officered. There are several resources available to understand the detailed security issues of web services.

HacmeBank & HacmeCasino in the Cloud | Free Windows Security Trainings

Click the ‘OK’ button 7. These may be obtained by visiting the Microsoft Websites listed in the following table: Several other Hacme, Inc. I just stumbled across this software yesterday and I was amazed by it All Rights Reserved – 16 3.

Increasingly, computer attacks are migrating from the network perimeter to poorly designed and developed software applications. To enhance the user experience, the tool comes with some preconfigured data. They are show in figures 9 to All Rights Reserved – 13 Figure 16 Furthermore, bwnk browser must be configured to use the web proxy.

Try and send me the ban off-line so we avoid support on webappsec and we can fine tune any configs or make changes if you have found a bug. By default this is http: In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local hame. All Rights Reserved – 68 Figure 57 Now that we have the name of the users, we can invoke the method to obtain the user details.

Hacme Bank simulates an online banking website with numerous application vulnerabilities purposely designed in for you to discover.