Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Hacme Bank

from [Don Tuer] Network Security [Permanent Link]
Subject: RE: Hacme Bank
Date: Mon, 13 Sep 2004 16:01:55 -0400 
Hi Mark:

        Thanks for releasing this tool, looks pretty neat. But I must
say that I can't understand why these types of errors are still being
made in Web applications. Basically if you follow a few simple rules you
will avoid these errors:

- Don't trust user input (mitigates hidden form counts)
- Validate all input on the server (mitigates Cross site scripting)
- Use stored procedures for all database access (mitigates SQL
injection)
- Don't send verbose error logs to end users (mitigates information
release)
- Encrypt client cookies (mitigates cookie manipulation)

These things are really easy to do using .NET and any developer that has
taken the time to do some basic review of Microsoft's documentation will
see this...

Thanks
Don 

-----Original Message-----
From: Mark Curphey [mailto:mark@curphey.com]
Sent: 08 September 2004 14:04
To: webappsec@securityfocus.com; pen-test@securityfocus.com
Subject: Hacme Bank


Just to let you know in the next hour or so the links should go live to
our
new free tool, Hacme Bank on the Foundstone web site
(http://www.foundstone.com/s3i).

You can see the press release here;

http://www.tmcnet.com/usubmit/2004/Sep/1071232.htm

It's an online banking application written in C# ASP.NET (requires IIS
and
.NET framework 1.1 to install) with a set of security holes replicating
real
world things we have found in client engagements over the last 9 months.
It
serves as a "real world" training application for web application pen
testing and education for developers.

Its free for non-commercial use and we are already working on the next
version to include some more user management issues.

All of the lessons are screen captured and documented so you can step
through all of the issues. These are in a "User and Solution Guide" PDF
in
the web root by default.

It is not designed to be a good benchmarking platform for automated
tools
but it is interesting to compare the results of your favorite tools with
the
holes in the bank (we have done this) or put it behind a "web app
firewall"
(no uptake from my recent challenge I am afraid, go figure!).

The experienced can start attacking the login field when installed and
the
less experienced can walk through the lesson plans.

Mark
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Apache VS IIS Securiyt model question, Dinis Cruz
Next by Date:  RE: SQL Injection data retrieving??, Mark McDonald
Previous by Thread:  RE: Hacme Bank, Al
Next by Thread:  Re: Hacme Bank, Rogan Dawes
Indexes:  [Date] [Thread] [Top] [All Lists]