Multiple Demos and misc files. Contribute to o2platform/Demos_Files development by creating an account on GitHub. Foundstone Hacme Bank v™ Software Security Training Application User and Solution Guide Author: Shanit Gupta, Foundstone Inc. April 7, Proprietary. Hacme Bank simulates a “real-world” web services-enabled online banking application, which was built with a number of known and common.

Author: Daijind Kelkis
Country: Russian Federation
Language: English (Spanish)
Genre: Spiritual
Published (Last): 3 February 2013
Pages: 279
PDF File Size: 4.55 Mb
ePub File Size: 15.48 Mb
ISBN: 266-4-22617-917-6
Downloads: 27372
Price: Free* [*Free Regsitration Required]
Uploader: Mezijora

The second component of the tool is the web site which has the presentation logic.

All Rights Reserved – 4 Figure 2 Figure 3 www. Foundstone intended to design an application that looks and works like a real world banking application while inducing commonly found web application vulnerabilities to educate hzcme train the users. Also, if you’re a screencaster, feel free to use them in your video tutorials. It requires the use of the Microsoft.

Foundstone Hacme Bank v Software Security Training

Security in the Microsoft. They are show in figures 9 to All Rights Reserved – 69 Figure 58 Similarly we can invoke other methods to get more detailed information about all the users. On clicking Next, the user is then asked to haacme a name for the virtual directory that will be created. All Rights Reserved – 10 Figure 13 Figure 14 www. We believe the correct solution is to train application developers and architects about the need to design and write secure software and how to do so.

In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. All user accounts have at least 2 bank accounts configured. This clearly shows bxnk that although sessionID is accepted, it is not used to gacme any authentication or authorization mechanisms.


Here, select Trusted Connectionclick Next and complete the install. Figure 36 Figure 37 Figure 38 http: You may have to register before you can post: They are, and Figure 30 On clicking the View Transactions the application will display the transactions corresponding to that account number. Quick Cookie Notification This site uses cookies, including for analytics, personalization, and advertising purposes. All Rights Reserved – 48 Figure 40 The request is trapped in Paros before being submitted to the haxme.

Installing Hacme Bank on Windows 7

All Rights Reserved – 2. The administrator will have unrestricted access to the database. I just stumbled across this software yesterday and I was amazed by it The experienced can start attacking the login field when installed and the less experienced can walk through the lesson plans.

Once you have downloaded and installed Paros it requires minimal configuration. All Rights Reserved – 62 Figure 52 The user will hence be able to login the application under Admin privileges after having retrieved the response to the challenge from the viewstate information.

In the screen shot above we can obtain the account numbers of the users by predicting their userID. This feature is provided to emulate the two factor authentication as closely as possible. Check the External Account radio button.

Hacme Bank – OWASP

Figures 4 and 5 represent the next two steps in the installation wizard and are fairly straightforward. The path on local host is http: In this case we do not have the sessionID so we input any value to check if the session is enforced.


Figures 7 and 8 complete the installation steps. This allows users to attempt real exploits against a web application and thus learn the specifics of the issue and how best to fix it. The results of the query are displayed back to the user in well formatted rows and columns.

HacmeBank & HacmeCasino in the Cloud | Free Windows Security Trainings

The view of another user can be obtained by performing a cross site scripting attack illustrated later or by sniffing the network or by obtaining it from the cached copy on a hard drive. This way the developers do not have to maintain or query the response to the challenge on the hacm side and can extract it from the client provided information.

This is a good indication that the column is of numeric hzcme. By clicking on any one of these methods a user will be able to determine the expected input along with the datatype. It will surely help to increase ur understanding regarding web applications security.