Glad you like it.
If you like the current version wait till you see what we are planning to
build for Hacme Bank 2005 and Hacme Bookstore 2005. They will be connected
via web services so you can use your Hacme Bank credit card to buy books at
the Hacme Book Store....and guess what, the web services *might* just have
some holes ;-). And I mean it when I say we are taking feature requests.
On the XSS let me check. Its been a while. I thought there were some fields
that would get sent straight back to you and others stored and only used
when the admin account logs in and views the support messages.
I'll check and get back to you offline.
WebGoat has some great examples of XSS including an XSS in the database. If
you haven't already check it out. As Jeff pointed out you can also change
WebGoat (which we don't allow you to do with Hacme Bank).
Buzz me when I forget to send you the results of my investigation ;-)
Cheers,
Mark
-----Original Message-----
From: CFW [mailto:cfw_security@comcast.net]
Sent: Monday, November 08, 2004 1:56 PM
To: Mark Curphey
Cc: webappsec@securityfocus.com
Subject: Re: Looking for a Web Application Vulnerable to XSS Cookie Grab
Mark,
Thanks for the response and thanks for writing a great learning tool.
Maybe I am just not doing something right, but it looks to me like the
Stored XSS is not really exploitable because a given user will never see
another user's posts to the message board. Am I missing something?
Chuck
Mark Curphey wrote:
Hacme Bank has both reflective and stored XSS already so what you are
asking for is already there.
We will have a new version due out around Jan 2005. I am taking feature
requests ;-)
-----Original Message-----
From: CFW [mailto:cfw_security@comcast.net]
Sent: Friday, November 05, 2004 4:33 PM
To: webappsec@securityfocus.com
Subject: Looking for a Web Application Vulnerable to XSS Cookie Grab
Hi all,
I am setting up a lab to learn about web application security and I
have been messing with WebGoat and Foundstone's HacmeBank and found
them to be very useful learning tools. One thing lacking in them (from
what I can
tell) is a multiuser, XSS Cookie Grabbing example.
Basically, I would like to have a little application (or part of
one of these applications) that one (malicious) user can log in to and
post a XSS cookie grabber to a forum or guestbook or something. Then,
the attacker fires up a listener until another user logs in and hits
the script, sending the cookies to the listener. Then, the first user
can change his cookies, and see clearly that the web application thinks
it is the second user. Does anyone know of such an application?
The Foundstone Hacme Bank is almost there in that it has a "Post
Message" section that is vulnerable to XSS, but it is set up so that
each user sees only their own messages, so it is not possible to post a
malicious script to someone else. If the Foundstone people are reading
this, have you considered changing this behavior?
While I am asking, are there any other web applications like these
that I should set up? I looked at WebMaven, but it looks like that has
been overtaken by Hacme and Webgoat (correct me if I am wrong).
Someone mentioned a while back on pen-test that you could use an old
version of PHP-Nuke as a vulnerable site since it has a lot of known
issues. Has anyone done this and have any hints on what version is the
most useful in this respect (most vulnerable I guess)?
Thanks a bunch and have a good weekend.
Chuck
