Net Framework v1. Reboot the system to ensure all services are started. Browser to where Hacme Bank was downloaded to and extract the Hacme bank file. Click through the welcome page, read and accept the license agreement, click through the rest of the defaults until the database setup. Change the authentication type to Trusted Connection and finish the install.
Select the defaults and install the web site. Double click on the Hacme Bank Web Site icon, enter in the username jv and password jv If a welcome message appears, Hacme Bank has been successfully setup. The final step is setting up remote connections.
Posted by Dennis Distler at PM. Labels: penetration testing , security lab , web application security , web application testing. No comments:. Apart from being able to access any user account, the SQL query interface allows the administrator to input any SQL query that can be submitted and executed at the database.
For more information or to change your cookie settings, click here. All valid loan requests are immediately approved. Results 1 to 4 of 4. The application also allows a user to transfer funds from any internal account to an external account. Client Side Secrets Lesson www. Just to let you know in the next bamk or so the links should go live to our new free tool, Hacme Bank on the Foundstone web site http: These may be obtained by visiting the Microsoft Websites listed in the following table: The administrator can delete any message posted by any user of the application d.
All Rights Reserved — 16 3. Buffer overflows, SQL injection and cross site scripting can all be prevented through proper data validation. One of the tools that can used to decode the view state is called ViewState Decoder. Again, accept the default settings until your reach the Database Setup screen. Now open a command prompt and run the following command to install MSDE and see next step for the compatibility warning:. The administrator can view all the existing users of the system along with their user name, log in id, and accounts assigned to them.
This enables the first time users to login the application and access the Admin interface and have a look and feel for the application before modifying it to suite their requirements. The first screen that displays when the installation package is run is the License Agreement, to install the package we must click on I Agree, if we do not agree, the installation will abort.
Next, a screen appears warning users that Hacme Books purposefully introduces vulnerabilities to your system for testing reasons and that Foundstone accepts no liability for system compromises. Click Next. Leave the default option checked for install location. The installation will begin copying files and the progress indicator will show the progress of the installation.
Once the installation is finished we will go ahead and test the installed application. Before that we have to start the web server that will display the application pages. It can be started by double clicking the startup. This is the starting point of everything we will be doing during this session. If the page times out and does not load check your browser proxy settings! Like this: Like Loading This entry was posted in Uncategorized.
Bookmark the permalink. In this case it happens to be This will display all the transactions belonging to account number which does not belong to Jane Chris as can be notes from Figure By modifying the parameter in the URI the attacker is able to directly access functionality that only an administrator should be able access. Lesson 2C Vulnerability Authorization Failure Exploited Exploit Result Horizontal Privilege Escalation Input Field s function: Steal viewstate to make unauthorized transactions Steal another user's viewstate information using cross site scripting attack or sniffing 1 Steps or cached copy on hard drive 2 Login into a valid account with correct credentials Make fund transfers to an external account of choice but replace viewstate 3 information with the stolen viewstate belonging to another user.
Replace the viewstate information with the viewstate information belonging to another user. The view of another user can be obtained by performing a cross site scripting attack illustrated later or by sniffing the network or by obtaining it from the cached copy on a hard drive. The attack will only be successful if the replaced viewstate is also URL encoded.
The attacker was able to transfer funds from account number to after having logged in as a user that has access to only account The web application extracts the source account information from the viewstate that is provided with the request.
This allowed the end user to replace her viewstate with viewstate belonging to another user and make the funds transfer. When the link is clicked as is described in Step 3 above, the JavaScript injected into the code is executed and the following alert is displayed. The JavaScript for that would look similar to:.
Check 2 the External Account radio button. Enter the external account number from where you want to bring in funds. Corresponding Figure 39 Figure s Figure The attacker first initiates transfer of funds to an external known valid account. These external accounts can be guessed or brute forced. The request is trapped in Paros before being submitted to the user. On trapping the request in Paros you will notice a cookie called CookieLoginAttempts being set.
This is illustrated in Figure 44 above. It is initialized to 5 and as you make multiple failed login attempts it is decremented until it is 0 at which point the specified user is locked out. Modifying the cookie value to a large positive integer would therefore prevent the application locking out after a small number 5 by default of failed login attempts and thus permits a brute force attack.
Trap the response to the login request with valid credentials. The response sets a cookie that sets the Admin privileges to false. This is displayed in the screen shot below. Change the value of the Admin cookie to be true from false and hit continue. The browsers accepts the cookie set by the application and thereafter all the cookies send with all the requests will be have the value true assigned to the Admin cookie.
The user is elevated to the privileges of Admin without actually performing the two factor authentication which is required for logging in Administrator. From now the user will be able to access all the features which were only provided for the administrator of the application.
Figure 49 Navigate to the Admin Section of the application. View the source of the page. In the source of the page you will find the hidden field that has the viewstate information. Viewstate is base64 encoded application state in XML format. One of the tools that can used to decode the view state is called ViewState Decoder. From the screen shot above we can see that the response to the challenge is hidden in the viewstate.
Developers often use this trick to improve the performance of the application. This way the developers do not have to maintain or query the response to the challenge on the server side and can extract it from the client provided information. This causes security concerns where any user would be able to abuse the secrets the stored on the client side. The above display screen shot displays the ability of an attacker to login the application without the knowledge of the actual challenge.
One of the motivations to rebuild the Hacme Bank application was to introduce web services in the applications to simulate a real world scenario of distributed computing. Several real world applications are now exposing web services of their application to be consumed by their partners, collaborators and consumers.
Just like web application, web services are susceptible to attacks and vulnerabilities. The internet communication is far less secure than the intranet communication which requires the security mechanism such as authentication, authorization, confidentiality and data integrity in web services as well.
There are several resources available to understand the detailed security issues of web services. Furthermore, there are tools like Foundstone WSDigger which allow you to search query and invoke web services dynamically without writing any code at all.
In this section we will show some of the vulnerabilities that the web services of Hacme Bank are susceptible to.
This information can usually be obtained from the UDDI registry for most real world applications. Once the WSDL is obtained it can be parsed to obtain all the public interfaces along with the data types expected. In the screen shot attached below we input the path of one the WSDL for the Hacme Bank to obtain the list of methods exposed by it. The application layer invokes the web services to execute the requests of the user. Therefore the web services are vulnerable to all the attacks mentioned in Lessons 1 to 6.
The screen shot above displays the list of methods supported by Hacme Bank. By clicking on any one of these methods a user will be able to determine the expected input along with the datatype. Using WSDigger tool we can now invoke any of the methods that we see. The ListCurrenUsers method has a single input expected. In this case we do not have the sessionID so we input any value to check if the session is enforced. When we invoke the method we get the list of users. This clearly shows us that although sessionID is accepted, it is not used to enforce any authentication or authorization mechanisms.
Now that we have the name of the users, we can invoke the method to obtain the user details. Once again we can ignore the sessionID variable and enter the userName field obtained from the previous attack. Similarly we can invoke other methods to get more detailed information about all the users. In the screen shot above we can obtain the account numbers of the users by predicting their userID.
The above display screen shot displays the ability of an unauthenticated attacker to transfer funds from one account to another. Web services may be vulnerable to all the attacks that a web application is vulnerable to. Further they may be vulnerable to many other issues. Check the box for 'Internet Information Services' 4.
Click 'Details' button. Click the 'OK' button 7.
0コメント