Multiple Demos and misc files. Contribute to o2platform/Demos_Files development by creating an account on GitHub. Foundstone Hacme Bank v™ Software Security Training Application User and Solution Guide Author: Shanit Gupta, Foundstone Inc. April 7, Proprietary. Hacme Bank simulates a “real-world” web services-enabled online banking application, which was built with a number of known and common.

Author: Shakazragore Moramar
Country: Congo
Language: English (Spanish)
Genre: Sex
Published (Last): 22 March 2013
Pages: 441
PDF File Size: 14.95 Mb
ePub File Size: 10.30 Mb
ISBN: 414-1-44051-151-5
Downloads: 73053
Price: Free* [*Free Regsitration Required]
Uploader: Yozshukinos

Once the WSDL is obtained it can be parsed to obtain all the public interfaces along with the data types expected. Installation of Hackme was realtively simple windows xp laptop 2.

To add a new user to the system the administrator has to provide a bznk name, log in id and password. The techniques for doing this are described in Lesson 2.

All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

This is hacmd good indication that the column is of numeric type. Features of the Application: Posted Messages can be used by the users of the bank to post on messages for all users of the application to view.

The administrator will be able to delete any account from the system and add new accounts to the system. The results of the query are displayed back to the user in well formatted rows and columns.

The Hacme Bank homepage should load and you can test the back-end system by logging into the site using the user name jvand password jv Every user is assigned atleast 2 accounts and can have at most 4 different accounts. The next important piece of information will be the details regarding all the columns of the tables. This allows users to attempt real exploits against a web application and thus learn the specifics bsnk the issue and how best to fix it.


The administrator can delete any message posted by any user of the application d. Our instructors have performed hundreds of Web, e-commerce bamk application security assessments and managed security programs for government and corporate environments.


Foundstone Hacme Bank v2.0 Software Security Training

The comments section allows users to add notes and comments while requesting the loan. If IIS is already installed you can verify the required components are enabled through the Control Panel:. This is done using the third input data item in the table above for each column.

Several real world applications are now exposing web services of their application to be consumed by their partners, collaborators and consumers. Anyways the other software I stumbled across was called WebMaven In this case it happens to be It requires the use of the Microsoft.

All Rights Reserved – 26 Figure 23 So we input the text from step 2. One of the tools that can used to decode the view state is called ViewState Decoder. All Rights Reserved – 63 One of the motivations to rebuild the Hacme Bank application was to introduce web services in the applications to simulate a real world scenario of distributed computing.

All Rights Reserved – 38 2 3 Corresponding Figure s www. The tool is delivered along with 3 accounts that a user can use. The user needs to provide the old password, the new password and confirm the new password.

Anyone who enjoys one of these pieces of software should equally enjoy the other piece. By default the path is http: As discussed before, the application is preconfigured with default accounts with different account types and cash balances. All Rights Reserved – 54 Modifying the cookie value to a large positive integer would therefore prevent the application locking out after a small number 5 by default of failed login attempts and thus permits a brute force attack. All Rights Reserved – 68 Figure 57 Now that we have the name of the users, we can invoke the method to obtain the user details.


This is displayed in the screen shot below. Again, accept the default settings until your reach the Database Setup screen.

Hacme Bank

Client Side Secrets Lesson www. All Rights Reserved – 20 Figure 19 www. Figures 7 and 8 complete the installation steps. Here, select Trusted Connectionclick Next and complete the install.

Penetration Testing: RE: Hacme Bank

Some safe default messages can be viewed by the users of the application 4. In this section we will show some of the vulnerabilities that the web services of Hacme Bank are susceptible to. By default this is http: All Rights Reserved – 13 Figure 16 Furthermore, your browser must be configured bbank use the web proxy.

Buffer overflows, SQL injection and cross site scripting can all be prevented through proper data validation. This enables the first time users to login the application and access the Admin interface and have a look and feel for the application before modifying it to suite their requirements.

Now open a command prompt and run hac,e following command to install MSDE and see next step for the compatibility warning:.

Once you have downloaded and installed Paros it requires minimal configuration. The path on local host is http: Paros is one such proxy that is commonly used within the web application testing community. All Rights Reserved – 47 Figure 39 www.